diff --git a/README.md b/README.md index 013cc7f..23f40e7 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,10 @@ This release corresponds to the following OS versions | OS | Version | |---------|---------| -| iOS | 16.4 | -| macOS | 13.3 | -| tvOS | 16.4 | -| watchOS | 9.4 | +| iOS | 17.0 | +| macOS | 14.0 | +| tvOS | 17.0 | +| watchOS | 10.0 | ## What's Available @@ -20,6 +20,7 @@ The following schema items are available: * MDM commands - `mdm/commands` * MDM check-in requests - `mdm/checkin` * MDM profiles - `mdm/profiles` +* MDM errors - `mdm/errors` * Declarative device management declarations - `declarative/declarations` * Declarative device management status items - `declarative/status` diff --git a/declarative/declarations/activations/simple.yaml b/declarative/declarations/activations/simple.yaml index b07b98d..d915717 100644 --- a/declarative/declarations/activations/simple.yaml +++ b/declarative/declarations/activations/simple.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: StandardConfigurations type: diff --git a/declarative/declarations/assets/credential.acme.yaml b/declarative/declarations/assets/credential.acme.yaml new file mode 100644 index 0000000..c2feade --- /dev/null +++ b/declarative/declarations/assets/credential.acme.yaml @@ -0,0 +1,68 @@ +title: Asset:Credential ACME +description: A reference to an ACME identity. +payload: + declarationtype: com.apple.asset.credential.acme + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Reference + type: + presence: required + content: |- + The external reference. Ensure that the asset data: + * Is a JSON document that represents the 'com.apple.credential.acme' credential type + * Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json' + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: optional + content: The media type that describes the data. + - key: Size + type: + presence: optional + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: optional + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. +- key: Accessible + type: + presence: optional + rangelist: + - Default + - AfterFirstUnlock + default: Default + content: |- + The keychain accessibility that determines when the keychain item is available for use, which has these allowed values: + * 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. + * 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device. diff --git a/declarative/declarations/assets/credential.certificate.yaml b/declarative/declarations/assets/credential.certificate.yaml new file mode 100644 index 0000000..36be55b --- /dev/null +++ b/declarative/declarations/assets/credential.certificate.yaml @@ -0,0 +1,57 @@ +title: Asset:Credential Certificate +description: 'A reference to a PKCS #1 or PEM encoded certificate.' +payload: + declarationtype: com.apple.asset.credential.certificate + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Reference + type: + presence: required + content: The external reference. Ensure that the asset data uses a media type of + 'application/pkcs1' or 'application/pem' to correctly identify the type of encoded + certificate. If the asset data includes a 'ContentType' sub-key, set it to the + corresponding media type. + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: optional + content: The media type that describes the data. + - key: Size + type: + presence: optional + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: optional + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. diff --git a/declarative/declarations/assets/credential.identity.yaml b/declarative/declarations/assets/credential.identity.yaml new file mode 100644 index 0000000..1310fdc --- /dev/null +++ b/declarative/declarations/assets/credential.identity.yaml @@ -0,0 +1,68 @@ +title: Asset:Credential Identity +description: 'A reference to a PKCS #12 password-protected identity.' +payload: + declarationtype: com.apple.asset.credential.identity + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Reference + type: + presence: required + content: |- + The external reference. Ensure that the asset data: + * Is a JSON document that represents the 'com.apple.credential.identity' credential type + * Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json' + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: optional + content: The media type that describes the data. + - key: Size + type: + presence: optional + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: optional + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. +- key: Accessible + type: + presence: optional + rangelist: + - Default + - AfterFirstUnlock + default: Default + content: |- + The keychain accessibility that determines when the keychain item is available for use, which has these allowed values: + * 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. + * 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device. diff --git a/declarative/declarations/assets/credential.scep.yaml b/declarative/declarations/assets/credential.scep.yaml new file mode 100644 index 0000000..c4daf10 --- /dev/null +++ b/declarative/declarations/assets/credential.scep.yaml @@ -0,0 +1,68 @@ +title: Asset:Credential SCEP +description: A reference to a SCEP identity. +payload: + declarationtype: com.apple.asset.credential.scep + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Reference + type: + presence: required + content: |- + The external reference. Ensure that the asset data: + * Is a JSON document that represents the 'com.apple.credential.scep' credential type + * Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json' + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: optional + content: The media type that describes the data. + - key: Size + type: + presence: optional + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: optional + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. +- key: Accessible + type: + presence: optional + rangelist: + - Default + - AfterFirstUnlock + default: Default + content: |- + The keychain accessibility that determines when the keychain item is available for use, which has these allowed values: + * 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. + * 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device. diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml index 45a9e0b..f45b74c 100644 --- a/declarative/declarations/assets/credential.userpassword.yaml +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -1,6 +1,6 @@ -title: Credential:User Name and Password +title: Asset:Credential User Name and Password description: A reference to data describing a credential representing a user name - and password. Note that this should always be considered as security sensitive data. + and password. payload: declarationtype: com.apple.asset.credential.userpassword supportedOS: @@ -10,11 +10,16 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: Reference type: presence: required - content: The reference to the credential. + content: |- + The external reference. Ensure that the asset data: + * Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type + * Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json' subkeys: - key: DataURL type: @@ -22,17 +27,41 @@ payloadkeys: content: The URL that hosts the credential data. The URL must start with 'https://'. - key: ContentType type: - presence: required + presence: optional content: The media type that describes the data. - key: Size type: - presence: required + presence: optional content: The size of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. - key: Hash-SHA-256 type: - presence: required + presence: optional content: |- A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. diff --git a/declarative/declarations/assets/credentials/acme.yaml b/declarative/declarations/assets/credentials/acme.yaml new file mode 100644 index 0000000..3d6f2e5 --- /dev/null +++ b/declarative/declarations/assets/credentials/acme.yaml @@ -0,0 +1,138 @@ +title: ACME Credential +description: An ACME identity that should be generated by the device. +payload: + credentialtype: com.apple.credential.acme + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: DirectoryURL + title: ACME directory URL + type: + presence: required + content: Specifies the directory URL of the ACME server. Use the 'https' scheme + for the URL. +- key: ClientIdentifier + title: Client identifier + type: + presence: required + content: The server can use this as a nonce to prevent issuing multiple certificates. + It also indicates to the ACME server that the device has access to a valid client + identifier that the enterprise infrastructure issued. This can help the ACME server + determine whether to trust the device, however this is a relatively weak indication + because of the risk that an attacker may intercept and duplicate the client identifier. +- key: KeySize + title: Key Size + type: + presence: required + content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'. + See those keys for specific requirements. +- key: KeyType + title: Key Type + type: + presence: required + rangelist: + - RSA + - ECSECPrimeRandom + content: |- + Specifies the type of key pair to generate. + 'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'. + 'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys. + The key size is '521', not '512', even though the other key sizes are multiples of '64'. +- key: HardwareBound + title: Hardware Bound + type: + presence: required + content: |- + If 'false', the private key isn't bound to the device. + If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported. + If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'. + On macOS, this is a required key. Set the value to 'false'. +- key: Subject + title: Subject + type: + presence: required + content: |- + The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. + The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to: + '[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]' + You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN'). + subkeys: + - key: ACMESubjectArrayInnerArray + title: Array Inside ACME Subject Array + type: + subkeys: + - key: ACMESubjectArrayPair + title: Subject Array Pair + type: + subkeys: + - key: ACMESubjectArrayPairItem + title: ACME Subject Array Pair Item + type: + repetition: + min: 2 + max: 2 + content: One item in the array representing a pair of OID and value +- key: SubjectAltName + title: Subject Alt Name + type: + presence: optional + content: Specifies the subject's alternative name that the device requests for the + certificate that the ACME server issues. The ACME server may override or ignore + this field in the certificate it issues. + subkeys: + - key: rfc822Name + title: RFC 822 Name + type: + presence: optional + content: The RFC 822 email address. + - key: dNSName + title: DNS Name + type: + presence: optional + content: The DNS name. + - key: uniformResourceIdentifier + title: URI + type: + presence: optional + content: The uniform resource identifier. + - key: ntPrincipalName + title: NT Principal Name + type: + presence: optional + content: The NT principal name. +- key: UsageFlags + title: Key Usage + type: + presence: optional + content: |- + The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. + The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment. +- key: ExtendedKeyUsage + title: Extended Key Usage + type: + presence: optional + content: |- + The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. + The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection. + subkeys: + - key: OID + type: + presence: optional +- key: Attest + title: Attest + type: + presence: optional + default: false + content: If 'true', the device provides attestations that describe the device and + the generated key to the ACME server. The server can use the attestations as strong + evidence that the key is bound to the device, and that the device has properties + listed in the attestation. The server can use that as part of a trust score to + decide whether to issue the requested certificate. When 'Attest' is 'true', set + 'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'. diff --git a/declarative/declarations/assets/credentials/identity.yaml b/declarative/declarations/assets/credentials/identity.yaml new file mode 100644 index 0000000..a291367 --- /dev/null +++ b/declarative/declarations/assets/credentials/identity.yaml @@ -0,0 +1,22 @@ +title: Identity Credential +description: 'Data for a PKCS #12 password-protected identity.' +payload: + credentialtype: com.apple.credential.identity + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Password + type: + presence: required + content: 'The password required to decrypt the PKCS #12 identity data.' +- key: Identity + type: + presence: required + content: 'The PKCS #12 identity data.' diff --git a/declarative/declarations/assets/credentials/scep.yaml b/declarative/declarations/assets/credentials/scep.yaml new file mode 100644 index 0000000..c2427a0 --- /dev/null +++ b/declarative/declarations/assets/credentials/scep.yaml @@ -0,0 +1,125 @@ +title: SCEP Credential +description: A SCEP identity that should be generated by the device. +payload: + credentialtype: com.apple.credential.scep + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: URL + title: URL + type: + presence: required + content: The SCEP URL. +- key: Name + title: Name + type: + presence: optional + content: Any string that the SCEP server recognizes. For example, it could be a + domain name such as 'example.org'. If a certificate authority has multiple CA + certificates, you can use this field to specify the required certificate. +- key: Subject + title: Subject + type: + presence: optional + content: |- + The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to: + '[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]' + You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN'). + subkeys: + - key: SCEPSubjectArrayInnerArray + title: Array Inside SCEP Subject Array + type: + subkeys: + - key: SCEPSubjectArrayPair + title: Subject Array Pair + type: + subkeys: + - key: SCEPSubjectArrayPairItem + title: SCEP Subject Array Pair Item + type: + repetition: + min: 2 + max: 2 + content: One item in the array representing a pair of OID and value +- key: Challenge + title: Challenge + type: + presence: optional + content: A preshared secret. +- key: Keysize + title: Key Size + type: + presence: optional + rangelist: + - 1024 + - 2048 + - 4096 + default: 1024 + content: The key size in bits, either '1024', '2048', or '4096'. +- key: Key Type + title: Key Type + type: + presence: optional + default: RSA + content: The key type, which always has the value 'RSA'. +- key: Key Usage + title: Key Usage + type: + presence: optional + default: 0 + content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is + encryption, and ''5'' is both signing and encryption. Some certificate authorities, + such as Windows CA, support only encryption or signing, but not both at the same + time.' +- key: CAFingerprint + title: Fingerprint + type: + presence: optional + content: The fingerprint of the Certificate Authority certificate. +- key: Retries + title: Retries + type: + presence: optional + default: 3 + content: The number of times the device should retry if the server sends a 'PENDING' + response. +- key: RetryDelay + title: Retry Delay + type: + presence: optional + default: 10 + content: The number of seconds to wait between subsequent retries. The system makes + the first retry without this delay. +- key: SubjectAltName + title: Subject Alt Name + type: + presence: optional + content: The subject's alternative name for the certificate. + subkeys: + - key: rfc822Name + title: RFC 822 Name + type: + presence: optional + content: The RFC 822 email address. + - key: dNSName + title: DNS Name + type: + presence: optional + content: The DNS name. + - key: uniformResourceIdentifier + title: URI + type: + presence: optional + content: The uniform resource identifier. + - key: ntPrincipalName + title: NT Principal Name + type: + presence: optional + content: The NT principal name. diff --git a/declarative/declarations/assets/credentials/usernameandpassword.yaml b/declarative/declarations/assets/credentials/usernameandpassword.yaml index d2b3c99..dd95b46 100644 --- a/declarative/declarations/assets/credentials/usernameandpassword.yaml +++ b/declarative/declarations/assets/credentials/usernameandpassword.yaml @@ -1,4 +1,4 @@ -title: User Name and Password Credentials +title: User Name and Password Credential description: Data describing a credential representing a user name and password. payload: credentialtype: com.apple.credential.usernameandpassword @@ -9,12 +9,14 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: UserName type: presence: required - content: The user's user name for the credential. + content: The user name for this credential. - key: Password type: presence: optional - content: The user's password for the credential. + content: The password for this credential. diff --git a/declarative/declarations/assets/data.yaml b/declarative/declarations/assets/data.yaml new file mode 100644 index 0000000..7b8fcbb --- /dev/null +++ b/declarative/declarations/assets/data.yaml @@ -0,0 +1,54 @@ +title: Asset:Data +description: A reference to arbitrary data with a specific media type. +payload: + declarationtype: com.apple.asset.data + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + watchOS: + introduced: '10.0' +payloadkeys: +- key: Reference + type: + presence: required + content: The external reference. + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: optional + content: The media type that describes the data. + - key: Size + type: + presence: optional + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: optional + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. +- key: Authentication + type: + presence: optional + content: The server authentication details. + subkeys: + - key: Type + type: + presence: required + rangelist: + - MDM + - None + content: |- + Type of authentication: + * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. + * None - a standard GET request is carried out. diff --git a/declarative/declarations/assets/useridentity.yaml b/declarative/declarations/assets/useridentity.yaml index dad12ef..7eaa6f1 100644 --- a/declarative/declarations/assets/useridentity.yaml +++ b/declarative/declarations/assets/useridentity.yaml @@ -1,4 +1,4 @@ -title: User Identity +title: Asset:User Identity description: User identity data. payload: declarationtype: com.apple.asset.useridentity @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: FullName title: Full Name @@ -19,4 +21,4 @@ payloadkeys: title: Email Address type: presence: optional - content: The user's email address. + content: The email address of the user. diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index d7fb2ef..6cefb24 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -5,20 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: A CalDAV configuration defines a CalDAV calendar and reminders account for a user. payloadkeys: @@ -32,7 +39,7 @@ payloadkeys: title: Server Host Name type: presence: required - content: The hostname of the CalDAV server (or IP address). + content: The hostname or IP address of the CalDAV server. - key: Port title: Server Port type: @@ -46,6 +53,8 @@ payloadkeys: - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type CredentialUserNameAndPassword. + this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'. diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index 3a3c4c4..b89b56b 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -5,20 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: A CardDAV configuration defines a CardDAV contacts account for a user. payloadkeys: - key: VisibleName @@ -31,7 +38,7 @@ payloadkeys: title: Server Host Name type: presence: required - content: The hostname of the CardDAV server (or IP address). + content: The hostname or IP address of the CardDAV server. - key: Port title: Server Port type: @@ -45,6 +52,8 @@ payloadkeys: - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type CredentialUserNameAndPassword. + this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'. diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index a86735e..6bdf25b 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -6,20 +6,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: This payload configures an Exchange ActiveSync account on an iOS device. payloadkeys: - key: VisibleName @@ -48,9 +55,11 @@ payloadkeys: - key: UserIdentityAssetReference title: User Identity Asset Reference type: + assettypes: + - com.apple.asset.useridentity presence: optional content: The identifier of an asset declaration that contains the user identity - for this account. The corresponding asset must be of type UserIdentity. + for this account. The corresponding asset must be of type 'UserIdentity'. - key: HostName title: Server Host Name type: @@ -133,10 +142,111 @@ payloadkeys: - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: The identifier of an asset declaration that contains the credentials for - this account to authenticate with an Exchange server. The corresponding asset - must be of type CredentialUserNameAndPassword. + this account to authenticate with an Exchange server. Set the corresponding asset + type to 'CredentialUserNameAndPassword'. +- key: AuthenticationIdentityAssetReference + title: Authentication Identity Asset Reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: Specifies the identifier of a credential asset declaration that contains + the identity that this account requires to authenticate with the Exchange server. +- key: SMIME + title: S/MIME Settings + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: n/a + type: + presence: optional + content: Settings for S/MIME. + subkeys: + - key: Signing + title: S/MIME Signing Settings + type: + presence: optional + content: Settings for S/MIME signing. + subkeys: + - key: Enabled + title: Signing Enabled + type: + presence: required + content: If 'true', the system enables S/MIME signing. + - key: IdentityAssetReference + title: S/MIME Signing Identity Asset Reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: Specifies the identifier of an asset declaration containing the identity + required for S/MIME signing of messages sent from this account. + - key: UserOverrideable + title: Signing User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can turn S/MIME signing on or off in Settings. + - key: IdentityUserOverrideable + title: Signing Identity User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can select an S/MIME signing identity in Settings. + - key: Encryption + title: S/MIME Encryption Settings + type: + presence: optional + content: Settings for S/MIME encryption. + subkeys: + - key: Enabled + title: Encryption By Default Enabled + type: + presence: required + content: If 'true', the system enables S/MIME encryption by default, which the + user can't override if 'PerMessageSwitchEnabled' is 'false'. + - key: IdentityAssetReference + title: S/MIME Encryption Identity Asset Reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: Specifies the identifier of an asset declaration containing the identity + required for S/MIME encryption. The system attaches the public certificate + to outgoing mail to allow the user to receive encrypted mail. When the user + sends encrypted mail, the system uses the public certificate to encrypt the + copy of the mail in their Sent mailbox. + - key: UserOverrideable + title: Encryption By Default User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can turn S/MIME encryption by default on or off + in Settings. + - key: IdentityUserOverrideable + title: Encryption Identity User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can select an S/MIME signing identity in Settings. + - key: PerMessageSwitchEnabled + title: Per Message Switch Enabled + type: + presence: optional + default: false + content: If 'true', the system enables the per-message encryption switch in + the compose view. - key: MailServiceActive supportedOS: macOS: diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index 3ed2386..0a4de29 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -5,20 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: A Google configuration defines a Google account for a user. The user will be prompted to enter their credentials shortly after the configuration successfully installs. @@ -32,8 +39,10 @@ payloadkeys: - key: UserIdentityAssetReference title: User Identity Asset Reference type: + assettypes: + - com.apple.asset.useridentity presence: required content: The identifier of an asset declaration that contains the user identity - for this Google account. The corresponding asset must be of type UserIdentity. - The asset must contain an 'EmailAddress' key that specifies the full Google email + for this Google account. Set the corresponding asset type to 'UserIdentity' and + ensure that it contains an 'EmailAddress' key that specifies the full Google email address for the account. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 32ce8fa..73c242a 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -5,20 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: An LDAP configuration defines an LDAP directory account for a user. payloadkeys: - key: VisibleName @@ -31,18 +38,20 @@ payloadkeys: title: Server Host Name type: presence: required - content: The hostname of the LDAP server (or IP address). + content: The hostname or IP address of the LDAP server. - key: Port title: Server Port type: presence: optional - content: The port number of the LDAP server (or IP address). + content: The port number or IP address of the LDAP server. - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type CredentialUserNameAndPassword. + this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'. - key: SearchSettings title: Search Settings type: diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index 2a9d9b4..478a990 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -5,20 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: An email configuration defines an email account for a user. payloadkeys: - key: VisibleName @@ -30,9 +37,11 @@ payloadkeys: - key: UserIdentityAssetReference title: User Identity Asset Reference type: + assettypes: + - com.apple.asset.useridentity presence: optional content: The identifier of an asset declaration that contains the user identity - for this account. The corresponding asset must be of type UserIdentity. + for this account. Set the corresponding asset type to 'UserIdentity'. - key: IncomingServer title: Incoming Server Settings type: @@ -71,9 +80,11 @@ payloadkeys: - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: |- - The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword. + The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'. If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field. - key: IMAPPathPrefix title: IMAP Path Prefix @@ -111,7 +122,98 @@ payloadkeys: - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: |- - The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword. + The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'. If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field. +- key: SMIME + title: S/MIME Settings + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: n/a + type: + presence: optional + content: Settings for S/MIME. + subkeys: + - key: Signing + title: S/MIME Signing Settings + type: + presence: optional + content: Settings for S/MIME signing. + subkeys: + - key: Enabled + title: Signing Enabled + type: + presence: required + content: If 'true', the system enables S/MIME signing. + - key: IdentityAssetReference + title: S/MIME Signing Identity Asset Reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: Specifies the identifier of an asset declaration containing the identity + required for S/MIME signing of messages sent from this account. + - key: UserOverrideable + title: Signing User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can turn S/MIME signing on or off in Settings. + - key: IdentityUserOverrideable + title: Signing Identity User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can select an S/MIME signing identity in Settings. + - key: Encryption + title: S/MIME Encryption Settings + type: + presence: optional + content: Settings for S/MIME encryption. + subkeys: + - key: Enabled + title: Encryption By Default Enabled + type: + presence: required + content: If 'true', the system enables S/MIME encryption by default, which the + user can't override if 'PerMessageSwitchEnabled' is 'false'. + - key: IdentityAssetReference + title: S/MIME Encryption Identity Asset Reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: Specifies the identifier of an asset declaration containing the identity + required for S/MIME encryption. The system attaches the public certificate + to outgoing mail to allow the user to receive encrypted mail. When the user + sends encrypted mail, the system uses the public certificate to encrypt the + copy of the mail in their Sent mailbox. + - key: UserOverrideable + title: Encryption By Default User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can set the default value for S/MIME encryption + to on or off in Settings. + - key: IdentityUserOverrideable + title: Encryption Identity User Overrideable + type: + presence: optional + default: false + content: If 'true', the user can select an S/MIME signing identity in Settings. + - key: PerMessageSwitchEnabled + title: Per Message Switch Enabled + type: + presence: optional + default: false + content: If 'true', the system enables the per-message encryption switch in + the compose view. diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index 09a2332..6fb0dd6 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -5,16 +5,27 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - user macOS: - introduced: n/a + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a content: A subscribed calendar configuration defines a subscribed calendar for a user. payloadkeys: @@ -28,11 +39,13 @@ payloadkeys: title: Calendar URL type: presence: required - content: The URL of the subscribed calendar. The URL must start with 'https://'. + content: The URL of the subscribed calendar, which needs to start with 'https://'. - key: AuthenticationCredentialsAssetReference title: Authentication Credentials Asset Reference type: + assettypes: + - com.apple.asset.credential.userpassword presence: optional content: The identifier of an asset declaration that contains the credentials for - this account to authenticate with a calendar server. The corresponding asset must - be of type CredentialUserNameAndPassword. + this account to authenticate with a calendar server. Set the corresponding asset + type to 'CredentialUserNameAndPassword'. diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml index 96051a0..9dd0e4c 100644 --- a/declarative/declarations/configurations/legacy.interactive.yaml +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -6,26 +6,37 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system sharedipad: - mode: forbidden - userenrollment: - mode: allowed + allowed-scopes: [] macOS: introduced: '13.0' - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + allowed-scopes: + - system + watchOS: + introduced: n/a payloadkeys: - key: ProfileURL title: Profile's URL. type: presence: required content: |- - The URL of the profile to download and install. This must be an 'https://' URL. - If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. + The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. + If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. - key: VisibleName title: Configuration Visible Name type: diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml index 222df33..40aaf96 100644 --- a/declarative/declarations/configurations/legacy.yaml +++ b/declarative/declarations/configurations/legacy.yaml @@ -5,25 +5,44 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - system + - user macOS: introduced: '13.0' - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: ProfileURL title: Profile's URL. type: presence: required content: |- - The URL of the profile to download and install. This must be an 'https://' URL. + The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml index 501617b..0fce14f 100644 --- a/declarative/declarations/configurations/management.status-subscriptions.yaml +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -6,20 +6,35 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - system + - user macOS: introduced: '13.0' - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + allowed-scopes: + - system payloadkeys: - key: StatusItems title: Status Items diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml index 212b69f..ab7bb94 100644 --- a/declarative/declarations/configurations/management.test.yaml +++ b/declarative/declarations/configurations/management.test.yaml @@ -5,26 +5,60 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-scopes: + - system + - user macOS: introduced: '13.0' - devicechannel: true - userchannel: true - userenrollment: - mode: allowed + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: Echo title: Status Echo type: presence: required content: The string to echo back in a status response reason. +- key: EchoDataAssetReference + title: Status Echo from Asset + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + assettypes: + - com.apple.asset.data + presence: optional + content: The string to read from a data asset to echo back in status response reason + description. - key: ReturnStatus title: Status to Return type: diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index 820a3fa..d5a3a2d 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -5,16 +5,31 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: forbidden - userenrollment: - mode: allowed + allowed-scopes: [] macOS: introduced: '13.0' - userenrollment: - mode: forbidden + allowed-enrollments: + - device + - local + allowed-scopes: + - system + - user tvOS: introduced: n/a + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: RequirePasscode title: Require Passcode on Device @@ -31,18 +46,20 @@ payloadkeys: introduced: '16.2' macOS: introduced: '13.1' + watchOS: + introduced: n/a type: presence: optional default: false - content: If set to true, the passcode must consist of at least one alphabetic characters - ("abcd"), and at least one number. + content: If 'true', the passcode needs to consist of at least one alphabetic character + and at least one number. - key: RequireComplexPasscode title: Require Complex Passcode type: presence: optional default: false content: If 'true', requires a complex passcode. A complex passcode is one that - doesn't contain repeated characters or increasing/decreasing characters (such + doesn't contain repeated characters or increasing or decreasing characters (such as 123 or CBA). - key: MinimumLength title: Minimum Passcode Length @@ -60,14 +77,17 @@ payloadkeys: introduced: '16.2' macOS: introduced: '13.1' + watchOS: + introduced: n/a type: presence: optional range: min: 0 max: 4 - default: 1 - content: Specifies the minimum number of complex characters that must be present. - Only used when RequireComplexPasscode is true. + default: 0 + content: Specifies the minimum number of complex characters in the password. A complex + character is a character other than a number or a letter, such as '&', '%', '$', + and '#'. - key: MaximumFailedAttempts title: Maximum Number of Failed Attempts type: @@ -86,11 +106,13 @@ payloadkeys: introduced: n/a macOS: introduced: '13.1' + watchOS: + introduced: n/a type: presence: optional - content: The number of minutes before the login will be reset after the maximum - number of failed attempts has been reached. The MaximumFailedAttempts key must - be set for this to take effect. + content: The number of minutes before the login is reset after the maximum number + of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take + effect. - key: MaximumGracePeriodInMinutes title: Maximum Grace Period type: @@ -120,9 +142,9 @@ payloadkeys: range: min: 0 max: 730 - content: Specifies the maximum number of days for which the passcode can remain - unchanged. After this number of days, the user is forced to change the passcode - before the device is unlocked. + content: Specifies the maximum number of days that the passcode can remain unchanged. + After this number of days, the system forces the user to change the passcode before + it unlocks the device. - key: PasscodeReuseLimit title: Passcode Reuse Limit type: @@ -141,10 +163,46 @@ payloadkeys: introduced: n/a macOS: introduced: '13.1' + watchOS: + introduced: n/a type: presence: optional default: false - content: If set to true, forces a password reset to occur the next time the user - tries to authenticate. If this key is set in a configuration in the system scope - (device channel), the setting takes effect for all users, and admin authentications - may fail until the admin user password is also reset. + content: If 'true', the system forces a password reset the next time the user tries + to authenticate. If you set this key in a configuration in the system scope (device + channel), the setting takes effect for all users, and admin authentication may + fail until the admin user password is also reset. +- key: CustomRegex + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + watchOS: + introduced: n/a + type: + presence: optional + content: Specifies a regular expression, and its description, to enforce password + compliance. Use the simpler passcode settings whenever possible, and rely on regular + expression matching only when necessary. Mistakes in regular expressions can lead + to frustrating user experiences, such as unsatisfiable passcode policies, or policy + descriptions that don't match the enforced policy. + subkeys: + - key: Regex + type: + presence: required + content: A regular expression string to match against the password to determine + whether it complies with a policy. The regular expression uses the ICU syntax. + The string can't exceed 2048 characters in length. + - key: Description + type: + presence: optional + content: A dictionary with supported OS language IDs for the keys (such as 'en-US'), + and values that represent a localized description of the policy that the regular + expression enforces. Use the special 'default' key for languages that the dictionary + doesn't contain. + subkeys: + - key: ANY + type: + presence: optional + content: A localized description. diff --git a/declarative/declarations/configurations/screensharing.connection.group.yaml b/declarative/declarations/configurations/screensharing.connection.group.yaml new file mode 100644 index 0000000..d05eaa4 --- /dev/null +++ b/declarative/declarations/configurations/screensharing.connection.group.yaml @@ -0,0 +1,42 @@ +title: Screen Sharing:Connection Group +description: Use this configuration to define a group of Screen Sharing connections. +payload: + declarationtype: com.apple.configuration.screensharing.connection.group + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: ConnectionGroupUUID + title: Unique Identifier + type: + presence: required + content: A string which uniquely identifies this connection group. +- key: GroupName + title: Group Name + type: + presence: required + content: The name of the Connection Group. +- key: Members + title: Group Members + type: + presence: required + content: |- + Array of ConnectionUUIDs (matching a connection declared in a + com.apple.configuration.screensharing.connection configuration) of the Connections + that should be members of this group. + subkeys: + - key: ConnectionUUID + type: diff --git a/declarative/declarations/configurations/screensharing.connection.yaml b/declarative/declarations/configurations/screensharing.connection.yaml new file mode 100644 index 0000000..5f5671a --- /dev/null +++ b/declarative/declarations/configurations/screensharing.connection.yaml @@ -0,0 +1,66 @@ +title: Screen Sharing:Connection +description: Use this configuration to define a connection to a Screen Sharing host. +payload: + declarationtype: com.apple.configuration.screensharing.connection + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: ConnectionUUID + title: Unique Identifier + type: + presence: required + content: A unique identifier for this connection when it's in a connection group. +- key: DisplayName + title: The name of the connection. + type: + presence: required + content: The name of the connection. +- key: HostName + title: Host Name + type: + presence: required + content: The host name or IP address of the Mac that hosts the screen-sharing connection. +- key: Port + title: TCP Port + type: + presence: optional + content: Specifies the TCP port number on the host to initiate the connection. +- key: DisplayConfiguration + title: Display Configuration + type: + presence: required + content: The display configuration for this connection. + subkeys: + - key: DisplayType + type: + presence: required + rangelist: + - Virtual1 + - Virtual2 + content: |- + The type of display for the connection, which has these allowed values: + * 'Virtual1': Create one virtual display. + * 'Virtual2': Create two virtual displays. +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: Specifies the identifier of an asset declaration that contains the required + credentials for this connection to authenticate with the screen-sharing server. + Set the corresponding asset type to 'com.apple.asset.credential.userpassword'. diff --git a/declarative/declarations/configurations/screensharing.host.settings.yaml b/declarative/declarations/configurations/screensharing.host.settings.yaml new file mode 100644 index 0000000..b3db46b --- /dev/null +++ b/declarative/declarations/configurations/screensharing.host.settings.yaml @@ -0,0 +1,58 @@ +title: Screen Sharing:Host Settings +description: Use this configuration to define Screen Sharing host settings and restrictions. +payload: + declarationtype: com.apple.configuration.screensharing.host.settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: MaximumVirtualDisplays + title: Maximum number of Virtual Displays + type: + presence: optional + range: + min: 0 + max: 2 + content: Sets the maximum number of Virtual Displays to make available to clients. +- key: PortBase + title: UDP Port base + type: + presence: optional + range: + min: 1024 + max: 65535 + content: |- + Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections + so additional connections will increment this base port number by 1 for each needed connection. This does not + change the port number used to initially establish a connection with a host, which is always TCP port 5900. +- key: PreventCopyFilesFromHost + title: Prevent copying files from host + type: + presence: optional + default: false + content: Set to true to prevent users from copying files from the Screen Sharing + host. +- key: PreventCopyFilesToHost + title: Prevent copying files to host + type: + presence: optional + default: false + content: Set to true to prevent users from copying files to the Screen Sharing host. +- key: PreventHighPerformanceConnections + title: Prevent High Performance connections + type: + presence: optional + default: false + content: Set to true to prevent clients from establishing High Performance connections + to the host. diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml new file mode 100644 index 0000000..91b3f80 --- /dev/null +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -0,0 +1,49 @@ +title: Security:Certificate +description: Use this configuration to add a certificate to the device. +payload: + declarationtype: com.apple.configuration.security.certificate + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: '17.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system +payloadkeys: +- key: CredentialAssetReference + title: Credential asset reference + type: + assettypes: + - com.apple.asset.credential.certificate + presence: required + content: Specifies the identifier of an asset declaration that contains the certificate + to install. diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml new file mode 100644 index 0000000..d47218d --- /dev/null +++ b/declarative/declarations/configurations/security.identity.yaml @@ -0,0 +1,73 @@ +title: Security:Identity +description: Use this configuration to install an identity on the device. +payload: + declarationtype: com.apple.configuration.security.identity + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: '17.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system +payloadkeys: +- key: CredentialAssetReference + title: Credential asset reference + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: required + content: Specifies the identifier of an asset declaration that contains the identity + to install. +- key: AllowAllAppsAccess + title: Allow all apps access + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', apps can access the private key. +- key: KeyIsExtractable + title: Key is extractable + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', the private key is extractable in the keychain. diff --git a/declarative/declarations/configurations/security.passkey.attestation.yaml b/declarative/declarations/configurations/security.passkey.attestation.yaml new file mode 100644 index 0000000..21e82a1 --- /dev/null +++ b/declarative/declarations/configurations/security.passkey.attestation.yaml @@ -0,0 +1,54 @@ +title: Security:Passkey:Attestation +description: Configures the device to allow WebAuthn enterprise attestation for certain + passkeys. +payload: + declarationtype: com.apple.configuration.security.passkey.attestation + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: [] + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - user + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: AttestationIdentityAssetReference + title: Attestation identity asset reference. + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: required + content: Specifies the identifier of an asset declaration that contains the identity + to install and use for passkey attestation. +- key: AttestationIdentityKeyIsExtractable + title: Attestation identity key is extractable + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', the private key for the attestation identity is extractable + in the keychain. +- key: RelyingParties + title: Relying parties + type: + presence: required + content: Relying parties to allow enterprise attestation. + subkeys: + - key: RelyingParty + title: Relying party + type: diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml new file mode 100644 index 0000000..5584f0b --- /dev/null +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -0,0 +1,45 @@ +title: Services Configuration Files +description: Specifies managed configuration files for services +payload: + declarationtype: com.apple.configuration.services.configuration-files + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: ServiceType + title: Service Type + type: + presence: required + content: |- + The identifier of the system service with managed configuration files. + Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. + The available built-in services are: + * 'com.apple.sshd' configures sshd + * 'com.apple.sudo' configures sudo + * 'com.apple.pam' configures PAM + * 'com.apple.cups' configures CUPS + * 'com.apple.apache.httpd' configures Apache httpd + * 'com.apple.bash' configures bash + * 'com.apple.zsh' configures zsh +- key: DataAssetReference + title: Data Asset Reference + type: + assettypes: + - com.apple.asset.data + presence: required + content: |- + Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset: + * Is of type 'com.apple.asset.data' + * Is a zip archive of an entire directory + * Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires + The system expands the zip archive and stores the data in a well-known location for the service. diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml new file mode 100644 index 0000000..0f5b261 --- /dev/null +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -0,0 +1,55 @@ +title: Software Update:Enforcement:Specific +description: A software update enforcement policy for a specific OS release +payload: + declarationtype: com.apple.configuration.softwareupdate.enforcement.specific + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: TargetOSVersion + title: Target OS Version + type: + presence: required + content: The target OS version to update the device to by the appropriate time. + This is the OS version number, for example, '16.1'. It may also include a supplemental + version identifier, for example, '16.1.1'. +- key: TargetBuildVersion + title: Target Build Version + type: + presence: optional + content: The target build version to update the device to by the appropriate time, + for example, '20A242'. The system uses the build version for testing during seeding + periods. The build version can include a supplemental version identifier, for + example, '20A242a'. If the build version isn't consistent with the target OS version + specified in the 'TargetOSVersion' key, the target OS version takes precedence. +- key: TargetLocalDateTime + title: Target Local Date Time + type: + presence: required + content: The local date time value that specifies when to force install the software + update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but + doesn't include a time zone offset. If the user doesn't trigger the software update + before this time, the device force installs it. +- key: DetailsURL + title: Details URL + type: + presence: optional + content: The URL of a web page that shows details that the organization provides + about the enforced update. diff --git a/declarative/declarations/configurations/watch.enrollment.yaml b/declarative/declarations/configurations/watch.enrollment.yaml new file mode 100644 index 0000000..be634e8 --- /dev/null +++ b/declarative/declarations/configurations/watch.enrollment.yaml @@ -0,0 +1,43 @@ +title: Watch:Enrollment +description: Specifies an MDMv1 Apple Watch enrollment profile +payload: + declarationtype: com.apple.configuration.watch.enrollment + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: [] + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: EnrollmentProfileURL + title: Watch Enrollment Profile's URL. + type: + presence: required + content: The URL of the profile that the Apple Watch downloads and installs if the + user opts in to management during the pairing process, which needs to start with + 'https://'. Successful enrollment requires that the pairing iPhone is supervised + and the profile contains an MDM payload. Apple Watch attempts to install each + payload that the profile contains. +- key: AnchorCertificateAssetReferences + title: Anchor Certificate Asset References. + type: + assettypes: + - com.apple.asset.credential.certificate + presence: optional + content: Specifies an array of identifiers of asset declarations that contain anchor + certificates to use to evaluate the trust of the enrollment profile server. Set + the type of the corresponding assets to 'com.apple.asset.credential.certificate'. + subkeys: + - key: AnchorCertificateAssetReferenceItem + type: + content: Specifies the identifier of an asset declaration containing the anchor + certificate to be used. diff --git a/declarative/declarations/declarationbase.yaml b/declarative/declarations/declarationbase.yaml index 9849230..1a0ff3e 100644 --- a/declarative/declarations/declarationbase.yaml +++ b/declarative/declarations/declarationbase.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: Type type: @@ -27,3 +29,212 @@ payloadkeys: type: presence: required content: The payload describing this declaration. +reasons: +- value: Error.ActivationFailed + description: A configuration or asset cannot be activated due to an activation that + failed. + details: + - key: Identifier + type: + description: The `Identifier` of the declaration. + - key: ServerToken + type: + description: The `ServerToken` of the declaration. +- value: Error.AssetCannotBeDeserialized + description: The asset data does not conform to the expected data type. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.AssetCannotBeDownloaded + description: The asset data cannot be downloaded. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.AssetCannotBeVerified + description: The downloaded asset data cannot be verified. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.ConfigurationCannotBeApplied + description: The configuration cannot be applied to the device. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.ConfigurationCannotBeDeserialized + description: The configuration is not valid. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.ConfigurationFailed + description: An asset cannot be activated due to a configuration that failed. + details: + - key: Identifier + type: + description: The `Identifier` of the declaration. + - key: ServerToken + type: + description: The `ServerToken` of the declaration. +- value: Error.ConfigurationIsInvalid + description: The configuration is not valid for applying to the device. + details: + - key: Error + type: + description: Description of the underlying NSError. +- value: Error.ConfigurationNotSupported + description: The configuration is not supported for this platform, scope, or enrollment + type. + details: + - key: Identifier + type: + description: The `Identifier` of the configuration. + - key: ServerToken + type: + description: The `ServerToken` of the configuration. +- value: Error.InvalidPayload + description: A declaration is not fully loaded. + details: + - key: Identifier + type: + description: The `Identifier` of the declaration. + - key: ServerToken + type: + description: The `ServerToken` of the declaration. +- value: Error.MissingAssets + description: A configuration being activated references assets that are not present. + details: + - key: Identifier + type: + description: The `Identifier` of the configuration. + - key: ServerToken + type: + description: The `ServerToken` of the configuration. + - key: AssetIdentifiers + type: + description: Array of strings containing each missing asset `Identifier` value. +- value: Error.MissingConfigurations + description: An activation being activated references configurations that are not + present. + details: + - key: Identifier + type: + description: The `Identifier` of the activation. + - key: ServerToken + type: + description: The `ServerToken` of the activation. + - key: ConfigurationIdentifiers + type: + description: Array of strings containing each missing configuration `Identifier` + value. +- value: Error.MissingState + description: A declaration is missing internal state information. + details: + - key: Identifier + type: + description: The `Identifier` of the declaration. + - key: ServerToken + type: + description: The `ServerToken` of the declaration. +- value: Error.PredicateFailed + description: A predicate evaluation failed. + details: + - key: Identifier + type: + description: The `Identifier` of the activation whose predicate failed. + - key: ServerToken + type: + description: The `ServerToken` of the activation whose predicate failed. + - key: Predicate + type: + description: The predicate description of the predicate that failed. + - key: Domain + type: + description: Underlying NSError's domain. + - key: Code + type: + description: Underlying NSError's code. +- value: Error.UnableToEvaluatePredicate + description: A predicate cannot be evaluated. + details: + - key: Identifier + type: + description: The `Identifier` of the activation whose predicate failed to evaluate. + - key: ServerToken + type: + description: The `ServerToken` of the activation whose predicate failed to evaluate. + - key: Predicate + type: + description: The predicate description of the predicate that failed to evaluate. +- value: Error.UnableToParsePredicate + description: A predicate expression cannot be parsed. + details: + - key: Identifier + type: + description: The `Identifier` of the activation whose predicate failed to parse. + - key: ServerToken + type: + description: The `ServerToken` of the activation whose predicate failed to parse. + - key: Predicate + type: + description: The predicate description of the predicate that failed to parse. +- value: Error.UnableToParsePredicateWithCustomOperator + description: A predicate expression with a custom operator cannot be parsed. + details: + - key: Identifier + type: + description: The `Identifier` of the activation whose predicate failed to parse. + - key: ServerToken + type: + description: The `ServerToken` of the activation whose predicate failed to parse. + - key: Predicate + type: + description: The predicate description of the predicate that failed to parse. +- value: Error.Unknown + description: An unrecognized NSError was generated. + details: + - key: Domain + type: + description: NSError's domain. + - key: Code + type: + description: NSError's code. +- value: Error.UnknownPayloadKeys + description: A declaration contains unknown payloads keys. + details: + - key: UnknownPayloadKeys + type: + description: Array of strings containing each unknown key-path. +- value: Info.NotReferencedByActivation + description: A configuration is not referenced in any activation. + details: + - key: Identifier + type: + description: The `Identifier` of the configuration. + - key: ServerToken + type: + description: The `ServerToken` of the configuration. +- value: Info.NotReferencedByConfiguration + description: An asset is not referenced in any configuration. + details: + - key: Identifier + type: + description: The `Identifier` of the asset. + - key: ServerToken + type: + description: The `ServerToken` of the asset. +- value: Info.Predicate + description: A predicate evaluated to false. + details: + - key: Identifier + type: + description: The `Identifier` of the activation whose predicate is false. + - key: ServerToken + type: + description: The `ServerToken` of the activation whose predicate is false. + - key: Predicate + type: + description: The predicate description of the predicate that is false. diff --git a/declarative/declarations/management/organization-info.yaml b/declarative/declarations/management/organization-info.yaml index 728e99f..2e63695 100644 --- a/declarative/declarations/management/organization-info.yaml +++ b/declarative/declarations/management/organization-info.yaml @@ -10,6 +10,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: Name title: Organization Name diff --git a/declarative/declarations/management/properties.yaml b/declarative/declarations/management/properties.yaml index 94621d4..5b3e212 100644 --- a/declarative/declarations/management/properties.yaml +++ b/declarative/declarations/management/properties.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: ANY title: Property diff --git a/declarative/declarations/management/server-capabilities.yaml b/declarative/declarations/management/server-capabilities.yaml index 7f8f94d..32a85ff 100644 --- a/declarative/declarations/management/server-capabilities.yaml +++ b/declarative/declarations/management/server-capabilities.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: Version title: Protocol Version diff --git a/declarative/protocol/declarationitemsresponse.yaml b/declarative/protocol/declarationitemsresponse.yaml index 94d1ece..1dc6101 100644 --- a/declarative/protocol/declarationitemsresponse.yaml +++ b/declarative/protocol/declarationitemsresponse.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: Declarations title: Manifest Declaration Items diff --git a/declarative/protocol/statusreport.yaml b/declarative/protocol/statusreport.yaml index 46245ab..96d01a0 100644 --- a/declarative/protocol/statusreport.yaml +++ b/declarative/protocol/statusreport.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: StatusItems title: Status Items @@ -59,3 +61,21 @@ payloadkeys: type: presence: optional content: A dictionary that contains further details about this error. +- key: FullReport + title: Full Report + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + presence: optional + default: false + content: When set to "true", this indicates that the status report contains the + full set of current status, and is not an incremental report. This will include + the full set of items in any status array item (not just the changes). Servers + can use this to replace their entire set of status for the device, rather than + do incremental update processing. Devices will set this to "true" when sending + a "safety sync" status report, which is typically sent every 24 hours or so. diff --git a/declarative/protocol/tokensresponse.yaml b/declarative/protocol/tokensresponse.yaml index 3aa8e6e..df7f0d7 100644 --- a/declarative/protocol/tokensresponse.yaml +++ b/declarative/protocol/tokensresponse.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: SyncTokens title: Synchronization Tokens diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml index 84df03c..11fa2d9 100644 --- a/declarative/status/account.list.caldav.yaml +++ b/declarative/status/account.list.caldav.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.caldav title: Status item value. type: presence: required - content: The status value of the account. + content: A list of status values for the CalDAV accounts. subkeytype: Account subkeys: - key: status_value @@ -36,9 +47,8 @@ payloadkeys: type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml index 4ad05b2..061128c 100644 --- a/declarative/status/account.list.carddav.yaml +++ b/declarative/status/account.list.carddav.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.carddav title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the CardDAV accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -55,7 +64,7 @@ payloadkeys: title: Account hostname type: presence: optional - content: The server host name of the account. + content: The server host name for the account. - key: port title: Server Port type: @@ -65,4 +74,4 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml index 1c6aa9d..10434f4 100644 --- a/declarative/status/account.list.exchange.yaml +++ b/declarative/status/account.list.exchange.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.exchange title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the exchange accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -55,7 +64,7 @@ payloadkeys: title: Account hostname type: presence: optional - content: The server host name of the account. + content: The server host name for the account. - key: port title: Server Port type: @@ -65,30 +74,34 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. - key: is-mail-enabled title: Is mail enabled type: presence: optional - content: Indicates if mail for this account are being displayed in Mail.app. + content: A Boolean value that indicates whether the Mail app displays mail for + this account. - key: are-calendars-enabled title: Are calendars enabled type: presence: optional - content: Indicates if calendars and events for the account are being displayed - in Calendar.app. + content: A Boolean value that indicates whether the Calendar app displays calendars + and events for this account. - key: are-contacts-enabled title: Are contacts enabled type: presence: optional - content: Indicates if contacts for the account are being displayed in Contacts.app. + content: A Boolean value that indicates whether the Contacts app displays contacts + for this account. - key: are-notes-enabled title: Are notes enabled type: presence: optional - content: Indicates if notes for this account are being displayed in Notes.app. + content: A Boolean value that indicates whether the Notes app displays notes + for this account. - key: are-reminders-enabled title: Are reminders enabled type: presence: optional - content: Indicates if reminders for the account are being displayed in Reminders.app. + content: A Boolean value that indicates whether the Reminders app displays reminders + for this account. diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml index ab29ffe..ce93f60 100644 --- a/declarative/status/account.list.google.yaml +++ b/declarative/status/account.list.google.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.google title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the Google accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -55,25 +64,28 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. - key: is-mail-enabled title: Is mail enabled type: presence: optional - content: Indicates if mail for this account are being displayed in Mail.app. + content: A Boolean value that indicates whether the Mail app displays mail for + this account. - key: are-calendars-enabled title: Are calendars enabled type: presence: optional - content: Indicates if calendars and events for the account are being displayed - in Calendar.app. + content: A Boolean value that indicates whether the Calendar app displays calendars + and events for this account. - key: are-contacts-enabled title: Are contacts enabled type: presence: optional - content: Indicates if contacts for the account are being displayed in Contacts.app. + content: A Boolean value that indicates whether the Contacts app displays contacts + for this account. - key: are-notes-enabled title: Are notes enabled type: presence: optional - content: Indicates if notes for this account are being displayed in Notes.app. + content: A Boolean value that indicates whether the Notes app displays notes + for this account. diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml index 3fa3fe3..5c46ad1 100644 --- a/declarative/status/account.list.ldap.yaml +++ b/declarative/status/account.list.ldap.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.ldap title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the LDAP accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -70,4 +79,5 @@ payloadkeys: title: Is account enabled type: presence: optional - content: Indicates if the account is enabled for use with Contacts.app. + content: A Boolean value that indicates whether the account is enabled for use + with the Contacts app. diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml index f860c62..f2f4695 100644 --- a/declarative/status/account.list.mail.incoming.yaml +++ b/declarative/status/account.list.mail.incoming.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.mail.incoming title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the incoming mail accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -55,7 +64,7 @@ payloadkeys: title: Account hostname type: presence: optional - content: The server host name of the account. + content: The server host name for the account. - key: port title: Server Port type: @@ -65,14 +74,16 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. - key: is-mail-enabled title: Is mail enabled type: presence: optional - content: Indicates if mail for this account are being displayed in Mail.app. + content: A Boolean value that indicates whether the Mail app displays mail for + this account. - key: are-notes-enabled title: Are notes enabled type: presence: optional - content: Indicates if notes for this account are being displayed in Notes.app. + content: A Boolean value that indicates whether the Notes app displays notes + for this account. diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml index 76c5606..99b4e5e 100644 --- a/declarative/status/account.list.mail.outgoing.yaml +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -5,22 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: introduced: '13.0' - devicechannel: false - userchannel: true + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.mail.outgoing title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the outgoing mail accounts. subkeytype: Account subkeys: - key: status_value @@ -30,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -55,7 +64,7 @@ payloadkeys: title: Account hostname type: presence: optional - content: The server host name of the account. + content: The server host name for the account. - key: port title: Server Port type: @@ -65,4 +74,4 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml index 4f04df2..b2959cd 100644 --- a/declarative/status/account.list.subscribed-calendar.yaml +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -5,20 +5,33 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system sharedipad: - mode: allowed - devicechannel: false - userchannel: true + allowed-scopes: + - user macOS: - introduced: n/a + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - user tvOS: introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: account.list.subscribed-calendar title: Status item value. type: presence: required - content: Status value. + content: A list of status values for the calendar accounts. subkeytype: Account subkeys: - key: status_value @@ -28,22 +41,20 @@ payloadkeys: title: Unique identifier of the account. type: presence: required - content: The unique identifier of the account. This can be used as a "primary - key" to access a specific account. + content: The unique identifier for the account. - key: _removed title: Indicates removal of the account. type: presence: optional default: false - content: To indicate removal of an account, this key's value is set to true, - and only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the account is removed and the status item object only contains + this key and the 'identifier' key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: presence: optional content: The identifier of the declaration that installed the account. Only - present if the account was installed by a declaration. + present if a declaration installed the account. - key: visible-name title: Account name type: @@ -58,9 +69,10 @@ payloadkeys: title: Account username type: presence: optional - content: The user name of the account. + content: The user name for the account. - key: is-enabled title: Is the calendar enabled type: presence: optional - content: Indicates if the calendar is being displayed in Calendar.app. + content: A Boolean value that indicates whether the Calendar app displays this + calendar. diff --git a/declarative/status/device.identifier.serial-number.yaml b/declarative/status/device.identifier.serial-number.yaml index 3d41630..6cecef9 100644 --- a/declarative/status/device.identifier.serial-number.yaml +++ b/declarative/status/device.identifier.serial-number.yaml @@ -5,17 +5,40 @@ payload: supportedOS: iOS: introduced: '16.0' - userenrollment: - mode: forbidden + allowed-enrollments: + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' - userenrollment: - mode: forbidden + allowed-enrollments: + - device + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.identifier.serial-number title: Status item value. type: presence: required - content: Status value. + content: The device's serial number. diff --git a/declarative/status/device.identifier.udid.yaml b/declarative/status/device.identifier.udid.yaml index 65f8b67..bc4d0b2 100644 --- a/declarative/status/device.identifier.udid.yaml +++ b/declarative/status/device.identifier.udid.yaml @@ -5,14 +5,37 @@ payload: supportedOS: iOS: introduced: '16.0' - userenrollment: - mode: forbidden + allowed-enrollments: + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' - userenrollment: - mode: forbidden + allowed-enrollments: + - device + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.identifier.udid title: Status item value. diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml index 074495c..93133c3 100644 --- a/declarative/status/device.model.family.yaml +++ b/declarative/status/device.model.family.yaml @@ -5,14 +5,42 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.model.family title: Status item value. type: presence: required - content: A string that describes the hardware family of the device, such as 'Mac', - 'iPhone', or 'iPad'. + content: The hardware family of the device, such as 'Mac', 'iPhone', or 'iPad'. diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml index 37e7d10..05293bc 100644 --- a/declarative/status/device.model.identifier.yaml +++ b/declarative/status/device.model.identifier.yaml @@ -5,17 +5,46 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.model.identifier title: Status item value. type: presence: required - content: A two-part string that uniquely identifies the device's model. The first - part describes device's model family, and the second part describes the model's - version. The model's version is a comma-separated number where the first part - of the number is the version, and the second part is a variant, such as 'MacBookPro15,1' - or 'iPhone13,2'. + content: A two-part string that specifies the device's model. The first part specifies + device's model family, and the second part specifies the model's version. The + model's version is a comma-separated number where the first part of the number + is the version, and the second part is a variant, such as 'MacBookPro15,1' or + 'iPhone13,2'. diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml index 5162d88..ade021f 100644 --- a/declarative/status/device.model.marketing-name.yaml +++ b/declarative/status/device.model.marketing-name.yaml @@ -5,14 +5,44 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.model.marketing-name title: Status item value. type: presence: required - content: A string that identifies the device's marketing name, such as 'iPhone 12'. - This value may not always be available. + content: The device's marketing name, such as 'iPhone 12'. This value may not always + be available. Alternatively, use 'device.model.configuration-code' to look up + the marketing name through the web API. diff --git a/declarative/status/device.model.number.yaml b/declarative/status/device.model.number.yaml new file mode 100644 index 0000000..0ac7101 --- /dev/null +++ b/declarative/status/device.model.number.yaml @@ -0,0 +1,46 @@ +title: Status Device Model Number +description: The device's hardware number. +payload: + statusitemtype: device.model.number + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: '17.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system +payloadkeys: +- key: device.model.number + title: Status item value. + type: + presence: required + content: The device's model number. diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml index f4ac429..0dbec7f 100644 --- a/declarative/status/device.operating-system.build-version.yaml +++ b/declarative/status/device.operating-system.build-version.yaml @@ -5,14 +5,42 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.build-version title: Status item value. type: presence: required - content: A string that identifies the operating system's build version on the device, - such as '18F132'. + content: The operating system's build version on the device, such as '18F132'. diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml index 1007afd..e4fb9de 100644 --- a/declarative/status/device.operating-system.family.yaml +++ b/declarative/status/device.operating-system.family.yaml @@ -5,14 +5,42 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.family title: Status item value. type: presence: required - content: A string that identifies the operating system family in use on the device, - such as 'macOS' or 'iOS'. + content: The operating system family in use on the device, such as 'macOS' or 'iOS'. diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml index e081fcf..585f1a7 100644 --- a/declarative/status/device.operating-system.marketing-name.yaml +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -5,14 +5,42 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.marketing-name title: Status item value. type: presence: required - content: A string that identifies the operating system's marketing name in use on - the device, such as 'Catalina'. + content: The operating system's marketing name in use on the device, such as 'Catalina'. diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index 5d1edea..71d9201 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -5,14 +5,43 @@ payload: supportedOS: iOS: introduced: '16.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.1' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.supplemental.build-version title: Status item value. type: presence: required - content: Identifies the operating system's build and rapid security response versions - in use on the device (for example, '20A123a', or '20B27c'). + content: The operating system's build and rapid security response versions in use + on the device, for example, '20A123a' or '20B27c'. diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index a434a82..5e6756a 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -5,14 +5,43 @@ payload: supportedOS: iOS: introduced: '16.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.1' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.supplemental.extra-version title: Status item value. type: presence: required - content: Identifies the operating system's rapid security response version in use - on the device (for example, 'a'). + content: The operating system's rapid security response version in use on the device, + for example, 'a'. diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml index 6abb9e8..e63050c 100644 --- a/declarative/status/device.operating-system.version.yaml +++ b/declarative/status/device.operating-system.version.yaml @@ -5,14 +5,42 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: device.operating-system.version title: Status item value. type: presence: required - content: A string that identifies the operating system's version in use on the device, - such as '15.0'. + content: The operating system's version in use on the device, such as '15.0'. diff --git a/declarative/status/device.power.battery-health.yaml b/declarative/status/device.power.battery-health.yaml new file mode 100644 index 0000000..0c2315f --- /dev/null +++ b/declarative/status/device.power.battery-health.yaml @@ -0,0 +1,40 @@ +title: Status Device Battery Health +description: The health of the battery. +payload: + statusitemtype: device.power.battery-health + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: device.power.battery-health + title: Status item value. + type: + presence: required + rangelist: + - non-genuine + - normal + - service-recommended + - unknown + - unsupported + content: |- + The battery health status: + * non-genuine - the battery is not a genuine Apple battery + * normal - the battery is operating normally + * service-recommended - battery service is recommended + * unknown - battery health information could not be determined + * unsupported - battery health reporting is not supported on the device + Only supported on iPhones. iPads will return "unsupported". diff --git a/declarative/status/diskmanagement.filevault.enabled.yaml b/declarative/status/diskmanagement.filevault.enabled.yaml new file mode 100644 index 0000000..696d263 --- /dev/null +++ b/declarative/status/diskmanagement.filevault.enabled.yaml @@ -0,0 +1,24 @@ +title: Status Disk Management File Vault Enabled +description: The enabled status of the File Vault. +payload: + statusitemtype: diskmanagement.filevault.enabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: diskmanagement.filevault.enabled + title: Status item value. + type: + presence: required + content: A Boolean value that specifies the File Vault enabled status on the device. diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml index adb3a97..5dc2ba2 100644 --- a/declarative/status/management.client-capabilities.yaml +++ b/declarative/status/management.client-capabilities.yaml @@ -5,10 +5,35 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + allowed-scopes: + - system payloadkeys: - key: management.client-capabilities title: Status item value. diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml index 63840fd..4887f0d 100644 --- a/declarative/status/management.declarations.yaml +++ b/declarative/status/management.declarations.yaml @@ -5,10 +5,35 @@ payload: supportedOS: iOS: introduced: '15.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + allowed-scopes: + - system payloadkeys: - key: management.declarations title: Status item value. diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index 010e909..a188855 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -5,10 +5,29 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: n/a tvOS: introduced: '16.0' + allowed-enrollments: + - device + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + allowed-scopes: + - system payloadkeys: - key: mdm.app title: Status item value. @@ -30,9 +49,8 @@ payloadkeys: type: presence: optional default: false - content: To indicate removal of an app, this key's value is set to true, and - only this key and the "identifier" key will be present in the status item - object. + content: If 'true', the app is removed and the status item object only contains + this key and the 'identifier' key. - key: name title: App name type: diff --git a/declarative/status/passcode.is-compliant.yaml b/declarative/status/passcode.is-compliant.yaml index 03a5b66..2f18cc3 100644 --- a/declarative/status/passcode.is-compliant.yaml +++ b/declarative/status/passcode.is-compliant.yaml @@ -5,10 +5,27 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: passcode.is-compliant title: Status item value. diff --git a/declarative/status/passcode.is-present.yaml b/declarative/status/passcode.is-present.yaml index 2b9056e..1c1b8b1 100644 --- a/declarative/status/passcode.is-present.yaml +++ b/declarative/status/passcode.is-present.yaml @@ -5,10 +5,27 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: passcode.is-present title: Status item value. @@ -16,6 +33,6 @@ payloadkeys: presence: required content: If 'true', a passcode is present on the device. If 'false', a passcode isn't present on the device. When a passcode is present, the specific attributes - of the passcode (length, number of complex characters, etc), isn't reported. Instead, - use the 'passcode.is-compliant' status item to verify that the passcode complies - with all passcode policies set on the device. + of the passcode, such as length or number of complex characters, aren't reported. + Instead, use the 'passcode.is-compliant' status item to verify that the passcode + complies with all passcode policies set on the device. diff --git a/declarative/status/security.certificate.list.yaml b/declarative/status/security.certificate.list.yaml new file mode 100644 index 0000000..a314d8f --- /dev/null +++ b/declarative/status/security.certificate.list.yaml @@ -0,0 +1,85 @@ +title: Status Security Certificate List +description: The client's managed certificates. +payload: + statusitemtype: security.certificate.list + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user + tvOS: + introduced: '17.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system +payloadkeys: +- key: security.certificate.list + title: Status item value. + type: + presence: required + content: A list of the device's managed certificates. + subkeytype: Certificate + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the certificate. + type: + presence: required + content: The unique identifier of the certificate which the system uses as the + primary key. + - key: _removed + title: Indicates removal of the certificate. + type: + presence: optional + default: false + content: If 'true', the certificate is removed and the status item object only + contains this key and the 'identifier' key. + - key: declaration-identifier + title: Asset declaration identifier. + type: + presence: optional + content: The identifier of the asset declaration that installed the certificate, + which is only present if a declaration installed the certificate. + - key: subject-summary + title: Subject summary + type: + presence: required + content: The summary of the certificate's subject. + - key: is-identity + title: Is Identity + type: + presence: required + content: If 'true', the certificate is an identity certificate. + - key: data + title: Certificate Data + type: + presence: required + content: The certificate data in DER-encoded X.509 format. diff --git a/declarative/status/services.background-task.yaml b/declarative/status/services.background-task.yaml new file mode 100644 index 0000000..47b1d3b --- /dev/null +++ b/declarative/status/services.background-task.yaml @@ -0,0 +1,110 @@ +title: Status Services Background Task +description: The client's background task details. +payload: + statusitemtype: services.background-task + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: services.background-task + title: Status item value. + type: + presence: required + content: The background task. + subkeytype: Background Task + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Identifier + type: + presence: required + content: The background task UUID which the system uses as the primary key. + - key: _removed + title: Indicates removal of a background task. + type: + presence: optional + default: false + content: If 'true', the background task is removed and the status item object + only contains this key and the 'identifier' key. + - key: code-signature + title: Code signature + type: + presence: optional + content: For types other than 'agent' or 'daemon', this is the code signature + designated requirement of the item, if available. + - key: uid + title: Numeric user identifier + type: + presence: required + content: The numeric user identifier of the owner of the background task. + - key: path + title: Path + type: + presence: required + content: For an 'agent' or 'daemon', the path to the 'launchd' 'plist' file. + For other types, the path to the app or the document. + - key: state + title: Background task state + type: + presence: required + rangelist: + - not-registered + - enabled + - requires-approval + - not-found + content: The SMAppServiceStatus enumeration. + - key: type + title: Background task type + type: + presence: required + rangelist: + - daemon + - agent + - login-item + - app + - user-item + content: The daemon, agent, or SFL login item type. + - key: launchd + title: Launchd background task + type: + presence: optional + content: Details about a 'launchd'-based background task, which is only present + when the type is 'daemon' or 'agent'. + subkeys: + - key: label + title: Label + type: + presence: required + content: The label of the 'launchd'-based background task. + - key: program + title: Program + type: + presence: required + content: The program that the 'launchd' 'plist' file specifies. + - key: program-arguments + title: Program arguments + type: + presence: optional + content: The program arguments that the 'launchd' 'plist' file specifies. + subkeys: + - key: program-arguments-item + title: Program argument + type: + - key: checksum + title: The hash value of the launchd plist. + type: + presence: required + content: The hash value of the 'launchd' 'plist' file. diff --git a/declarative/status/softwareupdate.failure-reason.yaml b/declarative/status/softwareupdate.failure-reason.yaml new file mode 100644 index 0000000..417c1da --- /dev/null +++ b/declarative/status/softwareupdate.failure-reason.yaml @@ -0,0 +1,51 @@ +title: Status Software Update Failure Reason +description: The software update failure reason state. +payload: + statusitemtype: softwareupdate.failure-reason + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.failure-reason + title: The software update failure reason state. + type: + presence: required + content: Details about a software update failure. + subkeytype: Dictionary + subkeys: + - key: count + title: The software update failure count. + type: + presence: required + content: The number of times the current software update failed. If there are + no failures, or no pending software update, this is '0'. + - key: reason + title: The reason for the software update failure. + type: + presence: optional + content: If present, this describes the reason for last software update failure. + This key isn't present if there are no failures or no pending software update. + - key: timestamp + title: The timestamp of the software update failure. + type: + presence: optional + content: If present, this is the RFC 3339 timestamp of the last software update + failure. This key isn't present if there are no failures or no pending software + update. diff --git a/declarative/status/softwareupdate.install-reason.yaml b/declarative/status/softwareupdate.install-reason.yaml new file mode 100644 index 0000000..35bb3f5 --- /dev/null +++ b/declarative/status/softwareupdate.install-reason.yaml @@ -0,0 +1,69 @@ +title: Status Software Update Install Reason +description: The software update install reason state. +payload: + statusitemtype: softwareupdate.install-reason + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.install-reason + title: The software update install reason state. + type: + presence: required + content: Details about the reason for a pending software update. + subkeytype: Dictionary + subkeys: + - key: reason + title: The software update install reason state. + type: + presence: required + content: A list of reasons for the pending software update. An empty list indicates + that no software update is pending. + subkeys: + - key: softwareupdate-reason + title: The software update install reason. + type: + presence: required + rangelist: + - system-settings + - install-tonight + - auto-update + - notification + - setup-assistant + - command-line + - mdm + - declaration + content: |- + The software update install reason state: + * system-settings - software update was triggered via Settings.app + * install-tonight - software update was triggered via install tonight action + * auto-update - software update was triggered via an automatic update + * notification - software update was triggered via user notification action + * setup-assistant - software update was triggered via Setup Assistant + * command-line - software update was triggered via `softwareupdate` command line tool + * mdm - software update was triggered via an MDM command + * declaration - software update was triggered via a declarative device management configuration + - key: declaration-id + title: The identifier of the declaration causing the software update to occur. + type: + presence: optional + content: The identifier of the declaration that caused the software update to + occur. This key is present only if the 'reason' array contains the 'declaration' + value. diff --git a/declarative/status/softwareupdate.install-state.yaml b/declarative/status/softwareupdate.install-state.yaml new file mode 100644 index 0000000..a4b5bf6 --- /dev/null +++ b/declarative/status/softwareupdate.install-state.yaml @@ -0,0 +1,43 @@ +title: Status Software Update Install State +description: The software update install state. +payload: + statusitemtype: softwareupdate.install-state + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.install-state + title: The software update install state. + type: + presence: required + rangelist: + - none + - downloading + - prepared + - installing + - failed + content: |- + The software update install status: + * 'none': There's no software update pending, and any previous software update succeeded. + * 'waiting': A software update is waiting to start. + * 'downloading': The system is downloading data for a software update. + * 'prepared': The system prepared the software update and it's ready for installation. + * 'installing': The system is installing the software update. + * 'failed': The software update failed. diff --git a/declarative/status/softwareupdate.pending-version.yaml b/declarative/status/softwareupdate.pending-version.yaml new file mode 100644 index 0000000..635f92f --- /dev/null +++ b/declarative/status/softwareupdate.pending-version.yaml @@ -0,0 +1,45 @@ +title: Status Software Update Pending Version +description: The pending software update version. +payload: + statusitemtype: softwareupdate.pending-version + supportedOS: + iOS: + introduced: '17.0' + allowed-enrollments: + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '14.0' + allowed-enrollments: + - device + allowed-scopes: + - system + tvOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.pending-version + title: Pending software update version. + type: + presence: required + content: A dictionary that contains the build and OS versions of the software update + that's pending on the device. + subkeytype: Dictionary + subkeys: + - key: os-version + title: The OS version + type: + presence: required + content: The OS version of the pending software update, including any rapid security + response version. This string is empty if no update is pending. + - key: build-version + title: The build version + type: + presence: required + content: The build version of the pending software update, including any rapid + security response version. This string is empty if no update is pending. diff --git a/declarative/status/statusreason.yaml b/declarative/status/statusreason.yaml index a35dde8..4727ab1 100644 --- a/declarative/status/statusreason.yaml +++ b/declarative/status/statusreason.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + watchOS: + introduced: '10.0' payloadkeys: - key: code title: Error Code diff --git a/declarative/status/test.array-value.yaml b/declarative/status/test.array-value.yaml index 3672c79..48c732d 100644 --- a/declarative/status/test.array-value.yaml +++ b/declarative/status/test.array-value.yaml @@ -5,16 +5,45 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.array-value title: Status item value. type: presence: required - content: Status value. + content: The test status item array value. subkeytype: Array subkeys: - key: status_value diff --git a/declarative/status/test.boolean-value.yaml b/declarative/status/test.boolean-value.yaml index 954f1ed..6d4a76b 100644 --- a/declarative/status/test.boolean-value.yaml +++ b/declarative/status/test.boolean-value.yaml @@ -5,13 +5,42 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.boolean-value title: Status item value. type: presence: required - content: Status value. + content: The test status Boolean value. diff --git a/declarative/status/test.dictionary-value.yaml b/declarative/status/test.dictionary-value.yaml index 087fe50..5512cd6 100644 --- a/declarative/status/test.dictionary-value.yaml +++ b/declarative/status/test.dictionary-value.yaml @@ -5,16 +5,45 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.dictionary-value title: Status item value. type: presence: required - content: Status value. + content: The test status dictionary value. subkeytype: Dictionary subkeys: - key: key1 diff --git a/declarative/status/test.error-value.yaml b/declarative/status/test.error-value.yaml index da0ccbc..ed33ca9 100644 --- a/declarative/status/test.error-value.yaml +++ b/declarative/status/test.error-value.yaml @@ -5,13 +5,42 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.error-value title: Status item value. type: presence: required - content: Status value. + content: The test status error value. diff --git a/declarative/status/test.integer-value.yaml b/declarative/status/test.integer-value.yaml index 85bd379..0ea68ad 100644 --- a/declarative/status/test.integer-value.yaml +++ b/declarative/status/test.integer-value.yaml @@ -5,13 +5,42 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.integer-value title: Status item value. type: presence: required - content: Status value. + content: The test status integer value. diff --git a/declarative/status/test.real-value.yaml b/declarative/status/test.real-value.yaml index 740d4d5..8640f44 100644 --- a/declarative/status/test.real-value.yaml +++ b/declarative/status/test.real-value.yaml @@ -5,13 +5,42 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.real-value title: Status item value. type: presence: required - content: Status value. + content: The test status real value. diff --git a/declarative/status/test.string-value.yaml b/declarative/status/test.string-value.yaml index c330ace..73b926e 100644 --- a/declarative/status/test.string-value.yaml +++ b/declarative/status/test.string-value.yaml @@ -5,13 +5,42 @@ payload: supportedOS: iOS: introduced: '16.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user macOS: introduced: '13.0' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system + - user tvOS: introduced: '16.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system + watchOS: + introduced: '10.0' + allowed-enrollments: + - device + - local + allowed-scopes: + - system payloadkeys: - key: test.string-value title: Status item value. type: presence: required - content: Status value. + content: The test status string value. diff --git a/docs/errata.md b/docs/errata.md new file mode 100644 index 0000000..4fda272 --- /dev/null +++ b/docs/errata.md @@ -0,0 +1,33 @@ +# Schema Errata + +This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem. + +## iOS 17 / macOS 14 + +### profiles/com.apple.vpn.managed.yaml + +The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed. + +The `PPTP` VPNType has not been supported since iOS 10 and macOS 10.12, see https://support.apple.com/en-us/HT206844. The `PPTP` VPNType has been removed. + +### mdmprotocol/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml + +The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep. + +### profiles/com.apple.vpn.managed.applayer.yaml + +The `OnDemandMatchAppEnabled` key in the `com.apple.vpn.managed.applayer` profile payload incorrectly listed its type as `integer`. The correct type is `boolean`. + +### profiles/com.apple.wifi.managed.yaml + +The EAPClientConfiguration dictionary listed both OneTimePassword and OneTimeUserPassword as valid keys. The erroneous OneTimePassword key has been removed. + +### profiles/com.apple.security.scep.yaml + +The documentation indicated that all the keys in the SubjectAltName value could be either string or array types. The ntPrincipalName cannot be an array and must be a +string. This has been clarified in the description. Note that the type field for the rfc822Name, dNSName, and uniformResourceIdentifier still indicates these are +strings. This has not been corrected as the schema does not support polymorphic types. + +### profiles/com.apple.universalaccess.yaml + +The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`. diff --git a/docs/schema.md b/docs/schema.md index 392b1c0..a208698 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -13,6 +13,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c | payload | object | Information about the object as a whole | | payloadkeys | array | A list of YAML objects representing the command request | | responsekeys | array | A list of YAML objects representing the command response | +| reasons | array | A list of YAML objects representing declarative device management status reason codes | ### Payload Object @@ -24,6 +25,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c | statusitemtype | string | Type of the status payload | | credentialtype | string | Type of the credential asset data | | supportedOS | object | Identifies the range of supported OS versions that support the entire payload | +| apply | string | Indicates how multiple configurations of the same type are applied | | content | string | Description of the payload | ### supportedOS Object @@ -41,29 +43,33 @@ The `supportedOS` object is used in the `payload` object to indicate overall sup ### iOS, macOS, tvOS, watchOS Objects -| Name | Type | Description | -|--------------------|---------|-------------| -| introduced | string | OS version where feature was introduced | -| deprecated | string | OS version where feature was deprecated | -| removed | string | OS version where feature was removed | -| accessrights | string | The MDM protocol access rights required on the device to execute the command | -| devicechannel | boolean | Indicates whether the command is supported on the device channel | -| userchannel | boolean | indicates whether the command is supported on the user channel | -| supervised | boolean | Indicates whether the command can only be executed on supervised devices | -| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP | -| userapprovedmdm | boolean | If True, the command can only be executed on devices with user approved MDM enrollment | -| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device | -| sharedipad | object | Additional behavior specific to shared iPad devices | -| userenrollment | object | Additional behavior when user enrollment is in effect | -| always-skippable | boolean | If True, indicates that the skip key's corresponding Setup pane is always skipped. If False, indicates that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs. This is only used in skipkeys.yaml. | +| Name | Type | Description | +|---------------------|---------|-------------| +| introduced | string | OS version where feature was introduced | +| deprecated | string | OS version where feature was deprecated | +| removed | string | OS version where feature was removed | +| accessrights | string | The MDM protocol access rights required on the device to execute the command | +| multiple | boolean | Indicates whether multiple copies of the payload can be installed | +| devicechannel | boolean | Indicates whether the command or profile is supported on the device channel | +| userchannel | boolean | indicates whether the command or profile is supported on the user channel | +| supervised | boolean | Indicates whether the command or profile can only be executed on supervised devices | +| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP | +| userapprovedmdm | boolean | If True, the command can only be executed on devices with user-approved MDM enrollment | +| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device | +| sharedipad | object | Additional behavior specific to shared iPad devices | +| userenrollment | object | Additional behavior when user enrollment is in effect | +| always-skippable | boolean | If True, indicates that the skip key's corresponding Setup pane is always skipped. If False, indicates that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs. This is only used in skipkeys.yaml. | +| allowed-enrollments | string | Array of allowed enrollment types for declarative device management | +| allowed-scopes | string | Array of allowed enrollment scopes for declarative device management | ### Shared iPad Object -| Name | Type | Description | -|---------------|---------|-------------| -| mode | string | Indicates whether a payload or payload key can used with shared iPad | -| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel | -| userchannel | boolean | Defines if the payload can be installed on the user MDM channel | +| Name | Type | Description | +|----------------|---------|-------------| +| mode | string | Indicates whether a payload or payload key can used with shared iPad | +| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel | +| userchannel | boolean | Defines if the payload can be installed on the user MDM channel | +| allowed-scopes | string | Array of allowed enrollment scopes for declarative device management | __Notes__ @@ -89,12 +95,14 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and | supportedOS | object | Identifies the range of supported OS versions that support the key | | type | string | The type of key | | subtype | string | Indicates the expected format of the string value of the key | +| assettypes | string | Indicates the set of allowed asset types | | presence | string | Whether the key is required or optional | | rangelist | array | List of allowed values for this key | | range | object | Bounds for the value of this key | | default | scalar | The default value for the key | | format | string | The format for the value expressed as a regular expression | | repetition | object | Cardinality for this value | +| combinetype | string | Indicates how this key is combined with ones from other configurations | | content | string | Description of the payload key | | subkeytype | string | A name that uniquely represents the structured subkey object | | subkeys | array | An array of payload keys | diff --git a/docs/schema.yaml b/docs/schema.yaml index f9b4ff0..53aad3e 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -52,24 +52,44 @@ properties: accessrights: type: string description: The MDM protocol access rights required on the device to execute the command. + multiple: + type: boolean + description: Indicates whether multiple copies of the payload can be installed devicechannel: type: boolean - description: Indicates whether the command is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key. + description: Indicates whether the command or profile is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key. userchannel: type: boolean - description: indicates whether the command is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key. + description: indicates whether the command or profile is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key. supervised: type: boolean - description: Indicates whether the command can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key. + description: Indicates whether the command or profile can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key. requiresdep: type: boolean description: If True, the command can only be executed on devices provisioned in DEP. userapprovedmdm: type: boolean - description: If True, the command can only be executed on devices with user approved MDM enrollment. + description: If True, the command can only be executed on devices with user-approved MDM enrollment. allowmanualinstall: type: boolean description: If True, the profile can be installed manually by a user on the device. + allowed-enrollments: + type: array + description: Array of allowed enrollment types. + items: + type: string + enum: + - device + - user + - local + allowed-scopes: + type: array + description: Array of allowed scopes. + items: + type: string + enum: + - system + - user sharedipad: type: object description: Additional behavior specific to shared iPad devices. @@ -94,6 +114,15 @@ properties: userchannel: type: boolean description: Defines if the payload can be installed on the user MDM channel. + allowed-scopes: + type: array + description: Array of allowed scopes. + items: + type: string + enum: + - system + - user + - local userenrollment: type: object description: Additional behavior when user enrollment is in effect. @@ -124,6 +153,16 @@ properties: macOS: *supportedOSItem tvOS: *supportedOSItem watchOS: *supportedOSItem + apply: + type: string + description: Indicates how multiple configurations of the same type are applied. + If set to 'single', then only one configuration will be applied. + If set to 'multiple', then each configuration is applied separately. + If set to 'combined', then all configurations are combined into a single effective configuration. + enum: + - single + - multiple + - combined content: type: string description: Description of the payload. @@ -168,6 +207,11 @@ properties: - - - + assettypes: + type: array + description: Indicates the set of allowed asset types. + items: + type: string presence: type: string description: Whether the key is required or optional. @@ -202,6 +246,7 @@ properties: - string - integer - number + - boolean description: The default value (if any) for the key. format: type: string @@ -220,6 +265,31 @@ properties: max: type: integer description: Upper bound. + combinetype: + type: string + description: |- + For a configuration that will be combined, indicates how this key is combined with ones from other configurations. + * boolean-or - multiple values are combined using a logical OR operation + * boolean-and - multiple values are combined using a logical AND operation + * number-min - multiple or values are combined by using the smallest value + * number-max - multiple or values are combined by using the largest value + * enum-lowest - multiple values with a rangelist are combined by using the value whose position is lowest in the range list + * enum-highest - multiple values with a rangelist are combined by using the value whose position is highest in the range list + * first - multiple values are combined by using the first value that is processed + * array-append - multiple values are combined by concatenating the values in each array into a new array + * set-union - multiple values are combined by returning the unique union of all values in each array + * set-intersection - multiple values are combined by returning the unique intersection of all values in each array + enum: + - boolean-or + - boolean-and + - number-min + - number-max + - enum-lowest + - enum-highest + - first + - array-append + - set-union + - set-intersection content: type: string description: Description of the payload key. @@ -229,3 +299,45 @@ properties: subkeys: *payloadKeys responsekeys: *payloadKeys + + reasons: + type: array + description: An array of Remote Management status reason codes. + items: + type: object + description: An Remote Management reason code. + additionalProperties: false + properties: + value: + type: string + description: The Remote Management reason code. + description: + type: string + description: Description of the Remote Management reason code. + details: + type: array + description: Keys defined in the Details dictionary + items: + type: object + description: Details dictionary keys + additionalProperties: false + properties: + key: + type: string + description: The name of the dictionary key. + description: + type: string + description: Description of the dictionary item. + type: + type: string + description: The type of the dictionary value. + enum: + - + - + - + - + - + - + - + - + - diff --git a/mdm/checkin/authenticate.yaml b/mdm/checkin/authenticate.yaml index fc69cf3..7cd91a7 100644 --- a/mdm/checkin/authenticate.yaml +++ b/mdm/checkin/authenticate.yaml @@ -23,6 +23,9 @@ payload: tvOS: introduced: '10.2' supervised: false + watchOS: + introduced: '10.0' + supervised: false content: Check-in protocol authenticate request and response. payloadkeys: - key: DeviceName @@ -31,6 +34,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The device's name. @@ -40,6 +45,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The device's model name. @@ -49,6 +56,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The device's model. @@ -85,6 +94,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The per-enrollment identifier for the device. Available in macOS 10.15 @@ -94,6 +105,9 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's OS version. @@ -102,6 +116,9 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's build version. @@ -110,6 +127,9 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's product name ('iPhone3,1'). @@ -124,6 +144,9 @@ payloadkeys: accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's serial number. @@ -138,6 +161,9 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's IMEI (International Mobile Station Equipment Identity). @@ -152,6 +178,9 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: '10.0' + accessrights: AllowQueryDeviceInformation type: presence: optional content: The device's MEID (Mobile Equipment Identifier). diff --git a/mdm/checkin/checkout.yaml b/mdm/checkin/checkout.yaml index 3309178..9bab959 100644 --- a/mdm/checkin/checkout.yaml +++ b/mdm/checkin/checkout.yaml @@ -23,6 +23,9 @@ payload: tvOS: introduced: '10.2' supervised: false + watchOS: + introduced: '10.0' + supervised: false content: Check-in protocol check out request and response. payloadkeys: - key: MessageType @@ -55,6 +58,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The per-enrollment identifier for the device. Available in macOS 10.15 diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index f9ab012..9cc3072 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -25,6 +25,10 @@ payload: introduced: '16.0' supervised: false requiresdep: false + watchOS: + introduced: '10.0' + supervised: false + requiresdep: false content: Check-in protocol declarative management request and response. payloadkeys: - key: MessageType @@ -67,6 +71,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The per-enrollment identifier for the device. @@ -80,6 +86,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: A per-enrollment identifier that identifies the user for user enrollments. @@ -92,6 +100,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: On Shared iPad, this value returns the Managed Apple ID of the user. When @@ -106,6 +116,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: On macOS, this value always returns the ID of the user. On Shared iPad, @@ -119,6 +131,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The full name of the user. diff --git a/mdm/checkin/gettoken.yaml b/mdm/checkin/gettoken.yaml new file mode 100644 index 0000000..6fbae51 --- /dev/null +++ b/mdm/checkin/gettoken.yaml @@ -0,0 +1,160 @@ +title: Get Token +description: Check-in protocol get token data. +payload: + requesttype: GetToken + supportedOS: + iOS: + introduced: '17.0' + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '14.0' + devicechannel: true + userchannel: true + supervised: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: n/a + watchOS: + introduced: n/a + content: Check-in protocol get token data request and response. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - GetToken + content: A string that specifies this is a get-token request. +- key: TokenServiceType + type: + presence: required + rangelist: + - com.apple.maid + - com.apple.watch.pairing + content: A string that specifies the service for the requested token. +- key: TokenParameters + type: + presence: optional + content: Parameters that the system uses to generate the token. + subkeys: + - key: SecurityToken + title: Security Token + supportedOS: + iOS: + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + presence: optional + content: A security token to generate the server token. Required by the 'com.apple.watch.pairing' + service type. + - key: PhoneUDID + title: Phone Identifier + supportedOS: + iOS: + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + presence: optional + content: The identifier of the phone paired to the watch. Required by the 'com.apple.watch.pairing' + service type. + - key: WatchUDID + title: Watch Identifier + supportedOS: + iOS: + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + presence: optional + content: The identifier of the watch paired to the phone. Required by the 'com.apple.watch.pairing' + service type. +- key: UDID + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: required + content: The device's UDID. +- key: EnrollmentID + supportedOS: + iOS: + userenrollment: + mode: required + macOS: + userenrollment: + mode: required + type: + presence: required + content: A per-enrollment identifier that identifies the device for user enrollments. +- key: EnrollmentUserID + supportedOS: + iOS: + introduced: n/a + macOS: + devicechannel: false + userenrollment: + mode: required + type: + presence: required + content: A per-enrollment identifier that identifies the user for user enrollments. +- key: UserShortName + supportedOS: + iOS: + sharedipad: + mode: required + macOS: + devicechannel: false + type: + presence: optional + content: On Shared iPad, this value returns the Managed Apple ID of the user. When + present, it indicates that the token is for the user channel. In macOS, this value + returns the short name of the user. +- key: UserID + supportedOS: + iOS: + sharedipad: + mode: required + macOS: + devicechannel: false + type: + presence: optional + content: In macOS, this value returns the ID of the user. On Shared iPad, this value + is 'FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF' to indicate that no authentication occurs. +- key: UserLongName + supportedOS: + iOS: + introduced: n/a + macOS: + devicechannel: false + type: + presence: required + content: The full name of the user. +responsekeys: +- key: TokenData + type: + presence: required + content: The token represented as data. If the token is a string value, this will + be the UTF-8 encoded string data. diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml index cd69f61..e1ea2ad 100644 --- a/mdm/checkin/tokenupdate.yaml +++ b/mdm/checkin/tokenupdate.yaml @@ -23,6 +23,9 @@ payload: tvOS: introduced: '10.2' supervised: false + watchOS: + introduced: '10.0' + supervised: false content: Check-in protocol token update request and response. payloadkeys: - key: NotOnConsole @@ -32,9 +35,11 @@ payloadkeys: macOS: introduced: '10.11' devicechannel: false + watchOS: + introduced: n/a type: presence: required - content: If true, the device is not on console. + content: If 'true', the device is not on console. - key: MessageType type: presence: required @@ -68,6 +73,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The per-enrollment identifier for the device. Available in macOS 10.15 @@ -83,6 +90,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The per-enrollment identifier for the user. Available in macOS 10.15 and @@ -97,6 +106,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- @@ -112,6 +123,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- @@ -125,6 +138,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: required content: The full name of the user. @@ -146,6 +161,8 @@ payloadkeys: mode: forbidden macOS: introduced: n/a + watchOS: + accessrights: AllowPasscodeRemovalAndLock type: presence: optional content: The data that can be used to unlock the device. If provided, the server @@ -157,8 +174,11 @@ payloadkeys: macOS: introduced: '10.11' userchannel: false + watchOS: + introduced: n/a type: presence: optional default: false - content: If 'true', the device is awaiting a Release Device from Await Configuration - MDM command before proceeding through Setup Assistant. + content: |- + If 'true' from the device channel, the device is awaiting a Release Device from Await Configuration MDM command before proceeding through Setup Assistant. + If 'true' from the user channel (Shared iPad only), the device is awaiting a UserConfiguredCommand MDM command before proceeding through Setup Assistant. diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml index 9d14d17..f9cf2b3 100644 --- a/mdm/commands/account.configuration.yaml +++ b/mdm/commands/account.configuration.yaml @@ -91,20 +91,20 @@ payloadkeys: title: fullName type: presence: optional - content: The full name of the user. This defaults to shortName if not specified. + content: The full name of the user, which defaults to 'shortName' if not specified. - key: passwordHash title: passwordHash type: presence: optional - content: Contains the pre-created salted PBKDF2 SHA512 password hash for the - account. + content: Data that contains the pre-created salted PBKDF2 SHA512 password hash + for the account. - key: hidden title: hidden type: presence: optional default: false - content: If true, this sets the account attribute to make the account hidden - to loginwindow and Users&Groups. OD attribute dsAttrTypeNative:IsHidden. + content: If 'true', this sets the account attribute to make the account hidden + in the login window and Users & Groups. - key: ManagedLocalUserShortName supportedOS: macOS: diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml index efac039..59eb9f5 100644 --- a/mdm/commands/application.install.enterprise.yaml +++ b/mdm/commands/application.install.enterprise.yaml @@ -59,8 +59,8 @@ payloadkeys: presence: optional default: false content: |- - If 'true', install the app as a managed app. For manifest-based installation, if this value is 'true', but the package doesn't meet the criteria for management, the installation fails. Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app. - To satisfy the criteria for management, the pkg must contain a single, signed application installed into '/Applications'. + If 'true', install the app as a managed app. + For manifest-based installs, if 'true' the system considers only the .app bundles installed into '/Applications' as managed (macOS 11 through 13 required the pkg to contain a single .app bundle). Reinstalling a managed app without this flag causes it to become unmanaged. This value is available in macOS 11 and later. - key: ManagementFlags supportedOS: diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index 05fb4c8..680af60 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -33,6 +33,10 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowAppInstallation + supervised: false content: This command allows the server to install an application on a device. If the app is already being managed, this command will update the app. macOS change - 10.9 user channel for VPP, 10.10 device channel, 10.11 both. @@ -120,28 +124,46 @@ payloadkeys: to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later. subkeys: - key: VPNUUID + supportedOS: + tvOS: + introduced: n/a type: presence: optional - content: A per-app VPN unique identifier for this app. This value is available - in iOS 7 and later, and tvOS 10.2 and later. + content: A per-app VPN unique identifier for this app. Available in iOS 7 and + later. - key: ContentFilterUUID supportedOS: iOS: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional - content: Content Filter UUID assigned to this app. + content: The content filter UUID for this app. Available in iOS 16 and later. - key: DNSProxyUUID supportedOS: iOS: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional - content: DNS Proxy UUID assigned to this app. + content: The DNS proxy UUID for this app. Available in iOS 16 and later. + - key: RelayUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The relay UUID for this app. Available in iOS 17 and later. - key: AssociatedDomains supportedOS: iOS: @@ -150,8 +172,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array that contains the associated domains to add to this app. This - value is available in iOS 13 and later. + content: An array that contains the associated domains to add to this app. Available + in iOS 13 and later. subkeys: - key: AssociatedDomain type: @@ -166,7 +188,7 @@ payloadkeys: default: false content: If 'true', perform claimed site association verification directly at the domain instead of on Apple's servers. Only set this to 'true' for domains - that can't access the internet. This value is available in iOS 14 and later. + that can't access the internet. Available in iOS 14 and later. - key: Removable supportedOS: iOS: @@ -176,23 +198,35 @@ payloadkeys: type: presence: optional default: true - content: If 'false', this app isn't removable while it's a managed app. This value - is available in iOS 14 and later, and tvOS 14 and later. + content: If 'false', this app isn't removable while it's a managed app. Available + in iOS 14 and later, and tvOS 14 and later. - key: TapToPayScreenLock supportedOS: iOS: introduced: '16.4' - macOS: - introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false - content: Enabling this setting will require Tap to Pay on iPhone users to use - Face ID or a passcode to unlock their device after every transaction that requires - a customer’s card PIN. Disabling this setting will allow users to configure - this setting on their device based on personal preference. + content: |- + If 'true', Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If 'false', the user can configure this setting on their device. + Available in iOS 16.4 and later. + - key: CellularSliceUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: |- + The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”. + Available in iOS 17 and later. - key: ChangeManagementState supportedOS: iOS: @@ -210,7 +244,7 @@ payloadkeys: content: |- The change management state. The only supported state is: * 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'. - This value doesn't work with the User Enrollment feature introduced in iOS 13. + This value doesn't work with Profile Based User Enrollment, Account Driven User Enrollment and Account Driven Device Enrollment. Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. - key: InstallAsManaged supportedOS: @@ -222,14 +256,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false - content: If 'true', install the app as a managed app. For manifest-based installation, - if this value is 'true', but the package doesn't meet the criteria for management, - the installation fails. Reinstall a managed app with this value set to 'false' - to change the app to an unmanaged app. This value is available in macOS 11 and - later. + content: |- + If 'true', install the app as a managed app. + For manifest-based installs, if this value is 'true', the system only considers the '.app' bundles installed into '/Applications 'as managed (macOS 11 through 13 required the 'pkg' to contain a single '.app' bundle). + Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app. + This value is available in macOS 11 and later. - key: iOSApp supportedOS: iOS: @@ -238,6 +274,8 @@ payloadkeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -251,6 +289,26 @@ responsekeys: - key: State type: presence: optional + rangelist: + - Queued + - NeedsRedemption + - Redeeming + - Prompting + - PromptingForLogin + - ValidatingPurchase + - Installing + - Managed + - ManagedButUninstalled + - UserInstalledApp + - UserRejectedFailed + - PromptingForUpdate + - PromptingForUpdateLogin + - ValidatingUpdate + - Updating + - UpdateRejected + - PromptingForManagement + - ManagementRejected + - Unknown content: The app's installation state, if the user accepted the request. If this value is 'NeedsRedemption', the server must send a redemption code to complete the app installation. diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index 66bc873..648045a 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -26,6 +26,10 @@ payload: introduced: '10.2' accessrights: AllowQueryApplications supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowQueryApplications + supervised: false content: This command allows the server to query for installed 3rd party applications. payloadkeys: - key: Identifiers @@ -254,6 +258,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false diff --git a/mdm/commands/application.invitetoprogram.yaml b/mdm/commands/application.invitetoprogram.yaml index 5d0f513..8cc9f5f 100644 --- a/mdm/commands/application.invitetoprogram.yaml +++ b/mdm/commands/application.invitetoprogram.yaml @@ -25,7 +25,8 @@ payload: content: This command allows a server to invite a user to join a program. This command issues the invitation, but does not allow the server to monitor whether the user has joined the program. This command is supported in the user channel. This command - will yield a NotNow status until the user exits Setup Assistant. + will yield a NotNow status until the user exits Setup Assistant. This command + does not work with Account Driven Device Enrollment. payloadkeys: - key: ProgramID type: diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index 2ebd70c..31e6230 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -28,6 +28,10 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowAppInstallation + supervised: false content: This command allows the server to query the status of managed apps. Certain statuses are transient. Once they are reported to the server, the entries for the apps are removed from the next query. macOS supports this command on the user @@ -50,7 +54,7 @@ responsekeys: content: A dictionary that contains status information about each managed app. subkeytype: ManagedApplicationListItem subkeys: - - key: + - key: ANY app identifier type: presence: required content: The bundle identifier of the managed app. diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml index d39fe96..0376fdc 100644 --- a/mdm/commands/application.remove.yaml +++ b/mdm/commands/application.remove.yaml @@ -25,6 +25,10 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowAppInstallation + supervised: false content: This command allows a server to remove a managed app. payloadkeys: - key: Identifier diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml index 0de6e44..ccb6ce5 100644 --- a/mdm/commands/certificate.list.yaml +++ b/mdm/commands/certificate.list.yaml @@ -32,6 +32,10 @@ payload: introduced: '6.0' accessrights: AllowInspection supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowInspection + supervised: false content: |- This command allows the server to retrieve the list of installed certificates on the device. The command requires that the server has the Inspect Profile Manifest privilege. For userenrollment, this request will limit to certificates pushed via MDM. diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml index 82cfb54..9a579ca 100644 --- a/mdm/commands/declarativemanagement.yaml +++ b/mdm/commands/declarativemanagement.yaml @@ -27,6 +27,9 @@ payload: introduced: '16.0' supervised: false requiresdep: false + watchOS: + introduced: '10.0' + supervised: false content: This command allows the server to turn on the Declarative Management engine on the device (the first time it is used), or to trigger a Declarative Management synchronization operation. diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml index 642a4b1..800d92b 100644 --- a/mdm/commands/device.activationlock.bypasscode.yaml +++ b/mdm/commands/device.activationlock.bypasscode.yaml @@ -1,5 +1,5 @@ title: Activation Lock Bypass Code Command -description: Retrievies the Activation Lock bypass code from the device. +description: Retrieves the Activation Lock bypass code from the device. payload: requesttype: ActivationLockBypassCode supportedOS: diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index 4f40b44..475f088 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -27,6 +27,10 @@ payload: introduced: '10.2' accessrights: AllowDeviceErase supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowDeviceErase + supervised: false content: This command allows the server to remotely erase the device. This command requires the Device Erase right. payloadkeys: @@ -53,6 +57,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -67,6 +73,8 @@ payloadkeys: introduced: '10.8' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: The six-character PIN for Find My. This value is available in macOS 10.8 @@ -79,6 +87,8 @@ payloadkeys: introduced: '12.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -106,3 +116,35 @@ payloadkeys: 'Default': If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. +- key: ReturnToService + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The configuration settings for Return to Service. This value is available + in iOS 17 and later. + subkeys: + - key: Enabled + title: Use Return to Service + type: + presence: required + content: If 'true', the device tries to re-enroll itself automatically after erasure. + The user needs to deactivate all activation locks for this feature to work correctly. + - key: WiFiProfileData + type: + presence: optional + content: The WiFi profile that installed after erasure, when using Return to Service. + This is required when the device doesn't have ethernet access. + - key: MDMProfileData + type: + presence: optional + content: |- + The MDM profile installed after erasure, when using Return to Service. This key is required for all unsupervised devices, as well as supervised devices that weren't enrolled with ADE. If provided, the device uses this profile directly instead of fetching it from the server. For ADE enrolled devices, this key isn't necessary unless the cloud configuration profile of the device contains the 'configuration-web-url' key. + The cloud configuration is still downloaded from Apple's servers when the profile contains this key, so the supervision identity, MDM removability and other settings from the cloud configuration still applies. However, the device doesn't use the URL specified in the cloud configuration to fetch the MDM profile. diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml index dfd94d5..b218e8f 100644 --- a/mdm/commands/device.lock.yaml +++ b/mdm/commands/device.lock.yaml @@ -23,6 +23,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + watchOS: + introduced: '10.0' + accessrights: AllowPasscodeRemovalAndLock + supervised: false content: This command allows the server to immediately lock the device. This command requires the Device Lock and Passcode Removal right. payloadkeys: @@ -58,6 +62,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.8' + watchOS: + introduced: n/a type: presence: optional content: The six-character PIN for Find My. This value is available in macOS 10.8 diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml index b87d17b..6430972 100644 --- a/mdm/commands/device.restrictions.list.yaml +++ b/mdm/commands/device.restrictions.list.yaml @@ -20,6 +20,10 @@ payload: introduced: '6.1' accessrights: AllowQueryRestrictions supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowQueryRestrictions + supervised: false content: This command allows the server to determine what restrictions are being enforced on the device, and the total sum of all restrictions. This command requires the Restrictions Query access right. This technically does work on macOS but it diff --git a/mdm/commands/information.contentcaching.yaml b/mdm/commands/information.contentcaching.yaml index 6151d51..124bae3 100644 --- a/mdm/commands/information.contentcaching.yaml +++ b/mdm/commands/information.contentcaching.yaml @@ -43,11 +43,12 @@ responsekeys: The error conditions the content cache detected in the 'PeerFilterRanges' in the installed 'com.apple.AssetCache.managed' payload. To display these alerts on the device, set 'DisplayAlerts' to 'true' in the installed ContentCaching profile. subkeys: - - key: Index into the PeerFilterRanges in the installed com.apple.AssetCache.managed - payload + - key: ANY index type: presence: required content: A dictionary that describes the alerts for the peer filter ranges. + The key name is the index into the PeerFilterRanges array in the installed + com.apple.AssetCache.managed payload. subkeys: - key: className type: diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 8af2cf4..2cb6ed1 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -27,6 +27,10 @@ payload: introduced: '6.0' accessrights: Special Case supervised: false + watchOS: + introduced: '10.0' + accessrights: Special Case + supervised: false content: This command allows the server to query for specific device information. It's supported in the user channel. payloadkeys: @@ -50,6 +54,8 @@ payloadkeys: mode: forbidden tvOS: accessrights: n/a + watchOS: + accessrights: n/a type: content: The key to get the unique identifier of the device. - key: ProvisioningUDID @@ -63,6 +69,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The device identifier for provisioning profiles. This value differs from the UDID for Apple silicon. Available in macOS 11.3 and later. @@ -76,6 +84,8 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: n/a + watchOS: + accessrights: n/a type: content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. - key: MDMOptions @@ -88,6 +98,8 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: n/a + watchOS: + introduced: '10.0' type: content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. - key: LastCloudBackupDate @@ -100,6 +112,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the date of the most recent iCloud backup. This value is available in iOS 8 and later. @@ -118,9 +132,13 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: n/a + watchOS: + accessrights: n/a type: - content: The key to determine if the device is waiting for a DeviceConfiguredCommand - to continue through Setup Assistant. + content: If true from device channel, device is still waiting for a DeviceConfigured + message from MDM to continue through Setup Assistant. If true from user channel + (Shared iPad only), device is still waiting for a UserConfigured message from + MDM to continue through Setup Assistant and finish login. Always available. - key: iTunesStoreAccountIsActive supportedOS: iOS: @@ -136,6 +154,8 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowAppInstallation + watchOS: + accessrights: AllowAppInstallation type: content: The key to determine if an iTunes Store account is active. This value requires the App Installation access right. @@ -154,6 +174,8 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowAppInstallation + watchOS: + accessrights: AllowAppInstallation type: content: The key to get a hash of the logged-in iTunes Store account. Also see GetVppUserRequest. This value requires the App Installation access right. @@ -165,6 +187,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the device name. This value requires the Device Information access right. @@ -176,6 +200,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the operating system version. This value requires the Device Information access right. @@ -190,9 +216,12 @@ payloadkeys: tvOS: introduced: '16.1' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: n/a type: - content: The OS update rapid security response version letter if a rapid security - response update is installed. Requires Device Information right. + content: The key to get the OS update rapid security response version letter, + if a rapid security response update is installed. This value requires the + Device Information access right. - key: BuildVersion supportedOS: iOS: @@ -201,6 +230,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the operating system version. This value requires the Device Information access right. @@ -215,11 +246,13 @@ payloadkeys: tvOS: introduced: '16.1' accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: - content: The build version associated with the currently installed rapid security - response. If there is no installed rapid security response, this value will - be identical to the value reported through BuildVersion. Requires Device Information - right. + content: The key to get the build version for the currently installed rapid + security response. If there's no installed rapid security response, this value + is the same as 'BuildVersion'. This value requires the Device Information + access right. - key: ModelName supportedOS: iOS: @@ -228,6 +261,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the model name; for example, iPhone. This value requires the Device Information access right. @@ -239,6 +274,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the model. This value requires the Device Information access right. @@ -253,9 +290,12 @@ payloadkeys: tvOS: introduced: '16.4' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: n/a type: - content: The device's hardware model number, including region info, e.g. "MK1A3LL/A". - Requires Device Information right. Requires Apple silicon on macOS. + content: The key to get the device's hardware model number including region + info, for example, 'MK1A3LL/A'. This value requires the Device Information + right, and it requires Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -265,6 +305,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- If 'true', the device is a Mac with Apple silicon (for example, an Apple M1 chip). @@ -277,6 +319,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the product name, such as iPad8,12. This value requires the Device Information access right. @@ -292,6 +336,8 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the serial number. This value requires the Device Information access right. @@ -303,6 +349,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the device's total capacity. This value requires the Device Information access right, and is available in iOS 4 and later, and @@ -315,6 +363,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the available capacity. This value requires the Device Information access right, and is available in iOS 4 and later, and macOS 10.7 @@ -330,10 +380,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the International Mobile Equipment Identity (IMEI) number. - This value requires the Device Information access right, and is available - in iOS 4 and later. + This value requires the Device Information access right. It's available as + of iOS 4 and deprecated in iOS 16. - key: MEID supportedOS: iOS: @@ -345,9 +397,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the mobile equipment ID (MEID). This value requires - the Device Information access right, and is available in iOS 4 and later. + the Device Information access right. It's available as of iOS 4 and deprecated + in iOS 16. - key: ModemFirmwareVersion supportedOS: iOS: @@ -358,6 +413,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the modem firmware version. This value requires the Device Information access right, and is available in iOS 4 and later. @@ -370,6 +427,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the cellular technology type. This value requires the Device Information access right, and is available in iOS 4.2.6 and later. @@ -383,6 +442,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the battery level. This value requires the Device Information access right, and is available in iOS 5 and later. @@ -395,8 +456,10 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Whether the device has an internal battery. + content: The key to determine whether the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -407,6 +470,8 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if the device is a supervised device. This value requires the Device Information access right, and is available in iOS 6 and @@ -420,6 +485,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the device is in ephemeral multiuser mode. This value requires the Device Information access right, and is available @@ -433,6 +500,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if a device locator service, such as Find My, is in an enabled state on the device. This value requires the Device Information @@ -453,10 +522,13 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + deprecated: '10.0' + accessrights: AllowQueryDeviceInformation type: content: The key to determine if Activation Lock is in an enabled state on the - device. This value requires the Device Information access right, and is available - in iOS 7 and later, and macOS 10.9 and later. + device. This value requires the Device Information access right. It's available + as of iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13. - key: IsActivationLockSupported supportedOS: iOS: @@ -468,6 +540,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the device supports Activation Lock. Also see 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. @@ -483,6 +557,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if the device is in Do Not Disturb (DND) mode. This value requires the Device Information access right, and is available @@ -496,6 +572,8 @@ payloadkeys: tvOS: introduced: '6.0' accessrights: AllowQueryDeviceInformation + watchOS: + introduced: n/a type: content: The key to get the device ID. This value requires the Device Information access right, and is available in tvOS 6 and later. @@ -508,6 +586,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the device identifier for Exchange ActiveSync (EAS). This value requires the Device Information access right, and is available @@ -523,6 +603,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if iCloud Backup is in an enabled state on the device. This value requires the Device Information access right, and is available @@ -537,6 +619,8 @@ payloadkeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get an array of directory GUIDs for logged-in managed users. This value requires the Device Information access right, and is available @@ -552,6 +636,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. This value requires the Device Information access right, and is available @@ -565,6 +651,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the local hostname from Bonjour. This value is available in macOS 10.11 and later. @@ -577,6 +665,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the hostname. This value is available in macOS 10.11 and later. @@ -592,6 +682,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, which Setup Assistant automatically creates during enrollment. This value @@ -606,6 +698,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if System Integrity Protection is in an enabled state on the device. This value requires the Device Information access right, @@ -619,6 +713,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the device can receive 'PowerON', 'PowerOFF', and 'Reset' commands from a lights-out management (LOM) controller. This query @@ -634,6 +730,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if Managed Lost Mode is in an enabled state on the device. This value requires the Device Information access right, and is @@ -644,12 +742,19 @@ payloadkeys: introduced: '9.3' accessrights: AllowQueryDeviceInformation supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the maximum number of users that can use this Shared iPad device. Beginning with iOS 13.4, the value that returns is always '32'. @@ -661,12 +766,19 @@ payloadkeys: introduced: '14.0' accessrights: AllowQueryDeviceInformation supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the estimated number of users that can use this Shared iPad device, according to the available space of the device and each user's @@ -677,10 +789,20 @@ payloadkeys: iOS: introduced: '13.4' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the quota size for each user on this Shared iPad device. This value requires the Device Information access right, and is available @@ -690,10 +812,20 @@ payloadkeys: iOS: introduced: '13.4' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the number of users currently on this Shared iPad device. This value requires the Device Information access right, and is available @@ -703,10 +835,20 @@ payloadkeys: iOS: introduced: '14.5' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The timeout interval for the user session. '0' means no timeout. - key: TemporarySessionTimeout @@ -714,10 +856,20 @@ payloadkeys: iOS: introduced: '14.5' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The timeout interval for the temporary session. '0' means no timeout. - key: TemporarySessionOnly @@ -725,10 +877,20 @@ payloadkeys: iOS: introduced: '14.5' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device only allows temporary sessions. - key: ManagedAppleIDDefaultDomains @@ -736,10 +898,20 @@ payloadkeys: iOS: introduced: '16.0' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- The list of domains that the device suggests on the Shared iPad login screen. @@ -749,10 +921,20 @@ payloadkeys: iOS: introduced: '16.0' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. @@ -762,13 +944,23 @@ payloadkeys: iOS: introduced: '16.2' accessrights: AllowQueryDeviceInformation + supervised: true + requiresdep: true + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Whether the language & locale pane will be skipped for new users of - Shared iPad + content: The key to determine whether the system skips the language and country/region + panes for new users on Shared iPad. - key: PushToken supportedOS: iOS: @@ -782,6 +974,8 @@ payloadkeys: introduced: '10.12' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the push token for the current user-channel connection. The MDM server ignores this query for the device channel. This value requires @@ -796,6 +990,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if the diagnostic submission setting is in an enabled state on the device. This value requires the Device Information access @@ -809,6 +1005,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to determine if the device is sharing app analytics. This value requires the Device Information access right, and is available in iOS 4 and @@ -823,6 +1021,8 @@ payloadkeys: tvOS: introduced: '14.0' accessrights: AllowQueryDeviceInformation + watchOS: + accessrights: AllowQueryDeviceInformation type: content: The key to get the current Internet Assigned Numbers Authority (IANA) time zone database name. This value requires the Device Information access @@ -838,10 +1038,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the integrated circuit card (ICC) identifier for the - installed SIM card. This value requires the Network Information access right, - and is available in iOS 4 and later. + installed SIM card. This value requires the Network Information access right. + It's available as of iOS 4 and deprecated in iOS 16. - key: BluetoothMAC supportedOS: iOS: @@ -854,6 +1056,8 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryNetworkInformation + watchOS: + introduced: n/a type: content: The key to get the Bluetooth media access control (MAC) address. This value requires the Network Information access right. @@ -869,6 +1073,8 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryNetworkInformation + watchOS: + accessrights: AllowQueryNetworkInformation type: content: The key to get the Wi-Fi MAC address. This value requires the Network Information access right. @@ -882,6 +1088,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the primary Ethernet MAC address. This value requires the Network Information access right, and is available in macOS 10.7 and later. @@ -896,10 +1104,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the name of the current carrier network. This value - requires the Network Information access right, and is available in iOS 4 and - later. + requires the Network Information access right. It's available as of iOS 4 + and deprecated in iOS 16. - key: SIMCarrierNetwork supportedOS: iOS: @@ -911,6 +1121,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork' instead. @@ -926,9 +1138,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the name of the home carrier network. This value requires - the Network Information access right, and is available in iOS 5 and later. + the Network Information access right. It's available as of iOS 5 and deprecated + in iOS 16. - key: CarrierSettingsVersion supportedOS: iOS: @@ -940,9 +1155,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the version of the carrier settings. This value requires - the Network Information access right, and is available in iOS 4 and later. + the Network Information access right. It's available as of iOS 4 and deprecated + in iOS 16. - key: PhoneNumber supportedOS: iOS: @@ -954,10 +1172,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the raw phone number, without punctuation, and including - the country code. This value requires the Network Information access right, - and is available in iOS 7 and later. + the country code. This value requires the Network Information access right. + It's available as of iOS 4 and deprecated in iOS 16. - key: DataRoamingEnabled supportedOS: iOS: @@ -969,6 +1189,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if data roaming is in an enabled state on the device. This value requires the Network Information access right, and is available @@ -985,10 +1207,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: The key to determine if voice roaming, which isn't available for all - carriers, is in an enabled state on the device. This value requires the Network - Information access right, and is available in iOS 5 and later. + content: The key to determine whether voice roaming, which isn't available for + all carriers, is in an enabled state on the device. This value requires the + Network Information access right. It's available as of iOS 5 and deprecated + in iOS 16. - key: PersonalHotspotEnabled supportedOS: iOS: @@ -1000,6 +1225,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if Personal Hotspot, which isn't available for all carriers, is in an enabled state on the device. This value requires the @@ -1013,6 +1240,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the device is network-tethered. This value requires the Network Information access right, and is available in iOS 10.3 @@ -1028,9 +1257,11 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the device is roaming. This value requires - the Network Information access right, and is available in iOS 4.2 and later. + the Network Information access right and is available in iOS 4.2 and later. - key: SubscriberMCC supportedOS: iOS: @@ -1043,9 +1274,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the home mobile country code. This value requires the - Network Information access right, and is available in iOS 4.2.6 and later. + Network Information access right. It's available as of iOS 4.2.6 and deprecated + in iOS 16. - key: SubscriberMNC supportedOS: iOS: @@ -1058,9 +1292,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the home mobile network code. This value requires the - Network Information access right, and is available in iOS 4.2.6 and later. + Network Information access right. It's available as of iOS 4.2.6 and deprecated + in iOS 16. - key: CurrentMCC supportedOS: iOS: @@ -1072,9 +1309,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the current mobile country code (MCC). This value requires - the Network Information access right, and is available in iOS 4 and later. + the Network Information access right. It's available as of iOS 4 and deprecated + in iOS 16. - key: CurrentMNC supportedOS: iOS: @@ -1086,9 +1326,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: The key to get the current mobile network code (MNC). This value requires - the Network Information access right, and is available in iOS 4 and later. + content: The key to get the current mobile network code (MNC). TThis value requires + the Network Information access right. It's available as of iOS 4 and deprecated + in iOS 16. - key: ServiceSubscriptions supportedOS: iOS: @@ -1100,6 +1343,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. This value requires the Network Information access right. @@ -1128,6 +1373,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine if the DeviceLockCommand requires a PIN. This value is available in macOS 11 and later. @@ -1140,6 +1387,8 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to determine whether the macOS device supports iOS/iPadOS app installs. This query is available in macOS 11 and later. @@ -1155,6 +1404,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key that represents the device identifier you use to look up available OS updates through . Available in iOS 15 and @@ -1169,10 +1420,11 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Returns the device settings that control which updates appear in the - Software Update pane in Settings. OS updates through . - Available in iOS 14.5 and later. + content: The key to get the device settings that control which updates appear + in the Software Update pane in Settings. Available in iOS 14.5 and later. - key: AccessibilitySettings supportedOS: iOS: @@ -1187,9 +1439,10 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: - content: |- - The key to get the current state of settable accessibility settings. + content: The key to get the current state of settable accessibility settings. Available in iOS 16 and later. - key: DevicePropertiesAttestation supportedOS: @@ -1199,13 +1452,13 @@ payloadkeys: userenrollment: mode: allowed macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: '16.0' type: - content: |- - The key to get an attestation of the device's properties. - Available in iOS 16 and later and tvOS 16 and later. + content: The key to get an attestation of the device's properties. Available + in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 + and later. - key: EACSPreflight supportedOS: iOS: @@ -1218,9 +1471,11 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Determines whether the device could perform an EraseDevice using Erase - All Content and Settings. + content: The key to determine whether the device can perform an EraseDeviceCommand + using Erase All Content and Settings (EACS). - key: DeviceAttestationNonce supportedOS: iOS: @@ -1229,20 +1484,14 @@ payloadkeys: userenrollment: mode: allowed macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: '16.0' type: presence: optional - content: Up to 32 bytes of data. If this is specified, Queries must contain DevicePropertiesAttestation. - The nonce appears in the resulting attestation to ensure it was recently generated. - To request a new attestation, provide a new nonce. The most recently generated - attestation is cached on the device. Requests for new attestations are rate limited. - If it has been fewer than 7 days since an attestation was generated, the device - returns the cached attestation rather than generating a new one. If DeviceAttestationNonce - is omitted or if the value matches the cached attestation, the cached attestation - is returned. Otherwise a new attestation containing the new nonce is requested - and returned. + content: |- + This value can contain up to 32 bytes of data. If specified, queries need to contain 'DevicePropertiesAttestation'. If omitted or if the value matches the cached attestation, the system returns the cached attestation. Otherwise, the system requests and returns a new attestation that contains the new nonce. + The nonce appears in the resulting attestation to ensure it was recently generated. To request a new attestation, provide a new nonce. The system caches the most recently generated attestation on the device. Requests for new attestations are rate limited. If it has been fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. responsekeys: - key: QueryResponses type: @@ -1263,9 +1512,11 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The device identifier used in provisioning profiles. This value differs - from the UDID on Apple Silicon Macs. Available in macOS 11.3 and later. + from the UDID on Macs with Apple silicon. Available in macOS 11.3 and later. - key: OrganizationInfo supportedOS: iOS: @@ -1317,6 +1568,9 @@ responsekeys: content: The contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. subkeys: - key: ActivationLockAllowedWhileSupervised + supportedOS: + watchOS: + introduced: n/a type: presence: optional default: false @@ -1332,6 +1586,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -1345,6 +1601,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -1361,6 +1619,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The date of the last iCloud backup. This query is available in iOS 8 and later. @@ -1373,8 +1633,9 @@ responsekeys: tvOS: introduced: '10.2' type: - content: If 'true', the device is still waiting for a DeviceConfiguredCommand - to continue through Setup Assistant. + content: |- + If 'true' on the device channel, the device is still waiting for a DeviceConfiguredCommand to continue through Setup Assistant. + If 'true' on the user channel (Shared iPad only), the device is still waiting for a UserConfiguredCommand to continue through Setup Assistant and finish login. - key: iTunesStoreAccountIsActive supportedOS: iOS: @@ -1405,6 +1666,9 @@ responsekeys: content: The operating system version. This value requires the Device Information access right. - key: SupplementalOSVersionExtra + supportedOS: + watchOS: + introduced: n/a type: content: The OS update rapid security response version letter. - key: BuildVersion @@ -1423,15 +1687,12 @@ responsekeys: content: The model. This value requires the Device Information access right. - key: ModelNumber supportedOS: - iOS: - introduced: '16.4' - macOS: - introduced: '13.3' - tvOS: - introduced: '16.4' + watchOS: + introduced: n/a type: - content: The device's hardware model number, including region info, e.g. "MK1A3LL/A". - Requires Device Information right. Requires Apple silicon on macOS. + content: The device's hardware model number including region info, for example, + 'MK1A3LL/A'. This value requires the Device Information right, and it requires + Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -1440,8 +1701,10 @@ responsekeys: introduced: '12.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: If 'true', the macOS device uses an AppleSilicon chip. + content: If 'true', the macOS device uses an Apple silicon chip. - key: ProductName type: content: The product name, such as iPad8,12. This value requires the Device Information @@ -1476,10 +1739,12 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The International Mobile Equipment Identity (IMEI) number. This value - requires the Device Information access right, and is available in iOS 4 and - later. + requires the Device Information access right. It's available as of iOS 4 and + deprecated in iOS 16. - key: MEID supportedOS: iOS: @@ -1488,15 +1753,20 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The mobile equipment identifier (MEID) number. This value requires the - Device Information access right, and is available in iOS 4.0 and later. + Device Information access right. It's available as of iOS 4 and deprecated in + iOS 16. - key: ModemFirmwareVersion supportedOS: macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The modem firmware version. This value requires the Device Information access right, and is available in iOS 4.0 and later. @@ -1508,6 +1778,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: rangelist: - 0 @@ -1516,10 +1788,10 @@ responsekeys: - 3 content: |- The cellular technology type, which is one of the following values: - * '0: 'None - * '1: 'GSM - * '2: 'CDMA - * '3: 'Both + * '0':' 'None' + * '1':' 'GSM' + * '2':' 'CDMA' + * '3':' 'Both' This value requires the Device Information access right, and is available in iOS 4.2.6 and later. - key: BatteryLevel supportedOS: @@ -1541,8 +1813,10 @@ responsekeys: introduced: '13.3' tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Whether the device has an internal battery. + content: If 'true', the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -1563,6 +1837,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device is in ephemeral multiuser mode. This value requires the Device Information access right, and is available in iOS 9.3 and later. @@ -1588,10 +1864,12 @@ responsekeys: deprecated: '13.0' tvOS: introduced: n/a + watchOS: + deprecated: '10.0' type: content: If 'true', the device has enabled Activation Lock. This value requires - the Device Information access right, and is available in iOS 7 and later, and - macOS 10.9 and later. + the Device Information access right. It's available as of iOS 7 and macOS 10.9, + and deprecated in iOS 16 and macOS 13. - key: IsActivationLockSupported supportedOS: iOS: @@ -1600,8 +1878,10 @@ responsekeys: introduced: '10.9' tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: If 'true', the device supports Activation Lock. Also see IsActivationLockManageable + content: If 'true', the device supports Activation Lock. Also see 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. This value is available in macOS 10.9 and later. - key: IsDoNotDisturbInEffect @@ -1624,6 +1904,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device can receive 'PowerON', 'PowerOFF', and 'Reset' commands from a lights-out management (LOM) controller. This query is available @@ -1636,6 +1918,8 @@ responsekeys: introduced: n/a tvOS: introduced: '6.0' + watchOS: + introduced: n/a type: content: The device identifier. This value requires the Device Information access right, and is available in tvOS 6 and later. @@ -1647,6 +1931,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The device identifier for Exchange Active Sync (EAS). This value requires the Device Information access right, and is available in iOS 7 and later. @@ -1658,6 +1944,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device has enabled iCloud backup. This value requires the Device Information access right, and is available in iOS 7.1 and later. @@ -1669,6 +1957,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: An array of the directory GUIDs of the logged-in managed users. If one of these users is currently logged in to the console, the 'CurrentConsoleManagedUser' @@ -1685,6 +1975,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. This value requires the Device Information access right, and is available in @@ -1738,6 +2030,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The local host name from Bonjour. This value is available in macOS 10.11 and later. @@ -1749,6 +2043,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The host name. This value is available in macOS 10.11 and later. - key: AutoSetupAdminAccounts @@ -1759,6 +2055,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, which Setup Assistant automatically created during DEP enrollment. This value @@ -1784,6 +2082,8 @@ responsekeys: introduced: '10.12' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device has enabled System Integrity Protection. This value requires the Device Information access right, and is available in macOS 10.12 @@ -1807,6 +2107,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The maximum number of users that can use this shared iPad device. Starting with iOS 13.4, the value that returns is always '32'. This value requires the @@ -1819,6 +2121,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The estimated number of users that can use this shared iPad device, according to the space available on the device and each user's quota. This value requires @@ -1831,6 +2135,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The quota size in megabytes for each user on this shared iPad device. This value requires the Device Information access right, and is available in @@ -1843,6 +2149,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The number of users currently on this shared iPad device. This value requires the Device Information access right, and is available in iOS 13.4 and @@ -1855,6 +2163,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The timeout interval for the user session. '0' means no timeout. - key: TemporarySessionTimeout @@ -1865,6 +2175,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The timeout interval for the temporary session. '0' means no timeout. - key: TemporarySessionOnly @@ -1875,6 +2187,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device only allows temporary sessions. - key: ManagedAppleIDDefaultDomains @@ -1885,6 +2199,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- The list of domains that the device suggests on the Shared iPad login screen. @@ -1900,6 +2216,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. @@ -1912,9 +2230,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Whether the language & locale pane will be skipped for new users of Shared - iPad + content: If 'true', skip the language and country/region panes for new users on + Shared iPad. - key: PushToken supportedOS: iOS: @@ -1923,11 +2243,13 @@ responsekeys: introduced: '10.12' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The push token for the user-channel connection, in the same format as in TokenUpdateRequest. MDM ignores this query for the device channel. This value requires the Device Information access right, and is available in iOS 9.3 and - later, and macOS 1012 and later. + later, and macOS 10.12 and later. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -1970,11 +2292,16 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The integrated circuit card (ICC) identifier for the installed SIM card. - This value requires the Network Information access right, and is available in - iOS 4 and later. + This value requires the Network Information access right. It's available as + of iOS 4 and deprecated in iOS 16. - key: BluetoothMAC + supportedOS: + watchOS: + introduced: n/a type: content: The Bluetooth media access control (MAC) address. This value requires the Network Information access right. @@ -1988,6 +2315,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The primary Ethernet MAC address. This value requires the Network Information access right, and is available in macOS 10.7 and later. @@ -1999,9 +2328,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The name of the current carrier network. This value requires the Network - Information access right, and is available in iOS 4 and later. + Information access right. It's available as of iOS 4 and deprecated in iOS 16. - key: SIMCarrierNetwork supportedOS: iOS: @@ -2010,6 +2341,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork' instead. - key: SubscriberCarrierNetwork @@ -2021,9 +2354,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The name of the home carrier network. This value requires the Network - Information access right, and is available in iOS 5 and later. + Information access right. It's available as of iOS 5 and deprecated in iOS 16. - key: CarrierSettingsVersion supportedOS: iOS: @@ -2032,9 +2367,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The version of the carrier settings. This value requires the Network - Information access right, and is available in iOS 4 and later. + Information access right. It's available as of iOS 4 and deprecated in iOS 16. - key: PhoneNumber supportedOS: iOS: @@ -2043,10 +2380,12 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The raw phone number without punctuation and including the country code. - This value requires the Network Information access right, and is available in - iOS 7.0 and later. + This value requires the Network Information access right. It's available as + of iOS 4 and deprecated in iOS 16. - key: DataRoamingEnabled supportedOS: iOS: @@ -2055,6 +2394,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device has enabled data roaming. This value requires the Network Information access right, and is available in iOS 5 and later. @@ -2067,10 +2408,12 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device has enabled voice roaming, which isn't available - for all carriers. This value requires the Network Information access right, - and is available in iOS 5 and later. + for all carriers. This value requires the Network Information access right. + It's available as of iOS 5 and deprecated in iOS 16. - key: PersonalHotspotEnabled supportedOS: iOS: @@ -2079,6 +2422,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true,' the device has enabled Personal Hotspot, which isn't available for all carriers. This value requires the Network Information access right, @@ -2091,6 +2436,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device is network-tethered. This value requires the Network Information access right, and is available in iOS 10.3 and later. @@ -2103,9 +2450,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device is roaming. This value requires the Network Information - access right, and is available in iOS 4.2 and later. + access right. It's available as of iOS 4.2 and deprecated in iOS 16. - key: SIMMCC supportedOS: iOS: @@ -2114,6 +2463,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: Apple no longer supports this query. Use 'SubscriberMCC' instead. - key: SIMMNC @@ -2124,6 +2475,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: Apple no longer supports this query. Use 'SubscriberMNC' instead. - key: SubscriberMCC @@ -2135,9 +2488,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The home Mobile Country Code (MCC). This value requires the Network Information - access right, and is available in iOS 4.2.6 and later. + access right. It's available as of iOS 4.2.6 and deprecated in iOS 16. - key: SubscriberMNC supportedOS: iOS: @@ -2147,9 +2502,12 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The key to get the home Mobile Network Code (MNC). This value requires - the Network Information access right, and is available in iOS 4.2.6 and later. + the Network Information access right. It's available as of iOS 4.2.6 and deprecated + in iOS 16. - key: CurrentMCC supportedOS: iOS: @@ -2158,9 +2516,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: The current mobile country code (MCC). This value requires the Network - Information access right, and is available in iOS 4 and later. + content: The current mobile country code (MCC).This value requires the Network + Information access right. It's available as of iOS 4 and deprecated in iOS 16. - key: CurrentMNC supportedOS: iOS: @@ -2169,9 +2529,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The current mobile network code (MNC). This value requires the Network - Information access right, and is available in iOS 4 and later. + Information access right. It's available as of iOS 4 and deprecated in iOS 16. - key: ServiceSubscriptions supportedOS: iOS: @@ -2180,6 +2542,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. This value requires the Network Information access right. @@ -2273,6 +2637,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the EraseDeviceCommand requires a PIN. This value is available in macOS 11 and later. @@ -2284,6 +2650,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the DeviceLockCommand requires a PIN. This value is available in macOS 11 and later. @@ -2295,8 +2663,10 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: If 'true', the device supports iOS/iPadOS app installs via MDM. This + content: If 'true', the device supports iOS/iPadOS app installs through MDM. This query is available in macOS 11 and later. - key: SoftwareUpdateDeviceID supportedOS: @@ -2310,10 +2680,12 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: The key representing the device identifier to be used when looking up - available OS updates via . Available in iOS 14.5 - and later. + content: The key representing the device identifier to use when looking up available + OS updates through . Available in iOS 14.5 and + later. - key: SoftwareUpdateSettings supportedOS: iOS: @@ -2324,9 +2696,11 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: - content: Properties that control which updates appear in the Software Update pane - in Settings. + content: The device settings that control which updates appear in the Software + Update pane in Settings. Available in iOS 14.5 and later. subkeys: - key: RecommendationsCadence type: @@ -2350,23 +2724,27 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: - content: |- - The the current state of settable accessibility settings. - Available in iOS 16 and later. + content: The current state of settable accessibility settings. Available in iOS + 16 and later. subkeys: - key: BoldTextEnabled type: - content: If 'true', device has enabled bold text. + content: If 'true', the device has enabled bold text. - key: IncreaseContrastEnabled + supportedOS: + watchOS: + introduced: n/a type: - content: If 'true', device has enabled increase contrast. + content: If 'true', the device has enabled increase contrast. - key: ReduceMotionEnabled type: - content: If 'true', device has enabled reduced motion. + content: If 'true', the device has enabled reduced motion. - key: ReduceTransparencyEnabled type: - content: If 'true', device has enabled reduced transparency. + content: If 'true', the device has enabled reduced transparency. - key: TextSize type: rangelist: @@ -2388,13 +2766,19 @@ responsekeys: '-1' indicates that the current size is unknown or hasn't been explicitly set. - key: TouchAccommodationsEnabled type: - content: If 'true', device has enabled touch accommodations. + content: If 'true', the device has enabled touch accommodations. - key: VoiceOverEnabled type: - content: If 'true', device has enabled voiceover. + content: If 'true', the device has enabled voiceover. - key: ZoomEnabled type: - content: If 'true', device has enabled zoom. + content: If 'true', the device has enabled zoom. + - key: GrayscaleEnabled + supportedOS: + iOS: + introduced: n/a + type: + content: If 'true', the device has enabled grayscale display. - key: DevicePropertiesAttestation supportedOS: iOS: @@ -2403,13 +2787,13 @@ responsekeys: userenrollment: mode: allowed macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: '16.0' type: - content: |- - The key to get an attestation of the device's properties. - Available in iOS 16 and later and tvOS 16 and later. + content: The key to get an attestation of the device's properties. Available in + iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and + later. subkeys: - key: AttestationCertificate type: @@ -2423,11 +2807,13 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- - Determines whether the device could perform an EraseDevice using Erase All Content and Settings. + Specifies whether the device can perform an EraseDeviceCommand using Erase All Content and Settings (EACS). Responses can include: - "success" -> device supports EACS and everything looks OK - "not supported" -> device is too old to support EACS (does not contain T2 or AppleSilicon) - "unknown failure" -> something went wrong for which we don't have a better error message - (other string) -> reason why EACS cannot be performed at the current time (e.g. "System is not sealed") + · 'success': The device supports EACS + · 'not supported': The device is too old to support EACS + · 'unknown failure': A problem occurred for which there isn't a more specific error message + · '(other string)': A reason why the device can't perform EACS, for example, “System is not sealed” diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml index 57e853c..8c04ba5 100644 --- a/mdm/commands/information.security.yaml +++ b/mdm/commands/information.security.yaml @@ -27,6 +27,10 @@ payload: introduced: '6.0' accessrights: AllowQuerySecurity supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowQuerySecurity + supervised: false content: This command queries the device for security-related information. Queries are available if the MDM host has the Security Query right. responsekeys: @@ -80,8 +84,6 @@ responsekeys: supportedOS: iOS: introduced: 9.3.2 - sharedipad: - mode: required userenrollment: mode: forbidden macOS: @@ -94,8 +96,6 @@ responsekeys: supportedOS: iOS: introduced: 9.3.2 - sharedipad: - mode: required userenrollment: mode: forbidden macOS: @@ -105,6 +105,23 @@ responsekeys: the device passcode to unlock it. If a device has a passcode, changing 'PasscodeLockGracePeriod' to a larger value doesn't take effect until the user logs out or removes the passcode. This value is only available for Shared iPad. + - key: AutoLockTime + supportedOS: + iOS: + introduced: '17.0' + sharedipad: + mode: required + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + content: The number of seconds before a device goes to sleep after being idle. + This value is only available for Shared iPad. - key: FDE_Enabled supportedOS: iOS: @@ -114,6 +131,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device has enabled FileVault full disk encryption (FDE). This value is available in macOS 10.9 and later. @@ -128,6 +147,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', FileVault FDE has a personal recovery key. This value is available in macOS 10.9 and later. @@ -142,6 +163,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', FileVault FDE has an institutional recovery key. This value is available in macOS 10.9 and later. @@ -156,6 +179,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If the FileVault personal recovery key has enabled escrow with a recovery key, this value contains the key. The certificate from the FDERecoveryKeyEscrow @@ -172,6 +197,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If the FileVault personal recovery key has enabled escrow with a recovery key, this value is the device serial number. This is the value that displays @@ -189,6 +216,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', System Integrity Protection (SIP) is active on the device. This value is available in macOS 10.12 and later. @@ -201,6 +230,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: A dictionary that contains the firewall settings. This value is available in macOS 10.12 and later. @@ -260,6 +291,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: A dictionary that contains the status of the EFI firmware password. This value is available in macOS 10.13 and later. @@ -292,6 +325,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the device enrolled in MDM through the Device Enrollment Program (DEP). This value is available in macOS 10.13.2 and later. @@ -301,6 +336,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the enrollment was user-approved. If 'false', the device may reject certain security-sensitive payloads or commands. This value is @@ -320,6 +357,8 @@ responsekeys: introduced: '10.15' tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the type of enrollment allows the MDM to manage Activation Lock for this device. This value is available in macOS 10.15 and later. @@ -332,6 +371,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: A dictionary that contains the device's Secure Boot settings. This value is available in macOS 10.15 and later. @@ -386,6 +427,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', Remote Desktop is active on the device. This value is available in macOS 10.14.4 and later. @@ -398,6 +441,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', the system booted using an Authenticated Root Volume. This value is available in macOS 11 and later. @@ -412,6 +457,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: rangelist: - allowed @@ -431,6 +478,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. @@ -446,6 +495,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: |- If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the 'com.apple.syspolicy.kernel-extension-policy' payload or triggering the 'RestartDevice' command with 'RebuildKernelCache' set to 'true'. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. @@ -461,6 +512,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: content: If 'true', a password is required to enter recovery (see SetRecoveryLockCommand). Available in macOS 11.5 and later and only on Apple silicon devices. diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index d0cc1c7..6cd3d11 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -19,6 +19,10 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowAppInstallation + supervised: false content: Queries managed application attributes. Attributes can be set on managed apps. These attributes can be changed over time. payloadkeys: @@ -48,6 +52,9 @@ responsekeys: content: The app's attributes. subkeys: - key: VPNUUID + supportedOS: + tvOS: + introduced: n/a type: presence: optional content: A per-app VPN unique identifier for this app. @@ -57,6 +64,8 @@ responsekeys: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- @@ -68,11 +77,24 @@ responsekeys: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- The DNS Proxy UUID assigned to this app. Available in iOS 16 and later. + - key: RelayUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The relay UUID for this app. - key: AssociatedDomains supportedOS: iOS: @@ -110,3 +132,33 @@ responsekeys: default: true content: If 'false', this app isn't removable while it's a managed app. This value is available in iOS 14 and later. + - key: TapToPayScreenLock + supportedOS: + iOS: + introduced: '16.4' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: Enabling this setting will require Tap to Pay on iPhone users to + use Face ID or a passcode to unlock their device after every transaction + that requires a customer’s card PIN. Disabling this setting will allow users + to configure this setting on their device based on personal preference. + - key: CellularSliceUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: Either data network name (DNN) or traffic category can be set as + the enterprise slice identifier. For DNN, the value must be encoded as "DNN:name”, + where "name" is the carrier provided DNN name. For app category, the value + must be encoded as "AppCategory:category", where "category" is a carrier + provided string like "Enterprise1". diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml index 71eb635..079c34d 100644 --- a/mdm/commands/managed.application.configuration.yaml +++ b/mdm/commands/managed.application.configuration.yaml @@ -30,6 +30,10 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowAppInstallation + supervised: false content: This command queries the device for the current configuration of managed applications. This command requires the App Management right. payloadkeys: diff --git a/mdm/commands/passcode.clear.yaml b/mdm/commands/passcode.clear.yaml index de0c01e..0f2431d 100644 --- a/mdm/commands/passcode.clear.yaml +++ b/mdm/commands/passcode.clear.yaml @@ -13,6 +13,10 @@ payload: mode: forbidden userenrollment: mode: forbidden + watchOS: + introduced: '10.0' + accessrights: AllowPasscodeRemovalAndLock + supervised: false content: This command allows the server to clear the passcode on the device. This command requires the Device Lock and Passcode Removal right. payloadkeys: diff --git a/mdm/commands/passcode.firmware.set.yaml b/mdm/commands/passcode.firmware.set.yaml index 12871d8..b85fd55 100644 --- a/mdm/commands/passcode.firmware.set.yaml +++ b/mdm/commands/passcode.firmware.set.yaml @@ -31,7 +31,12 @@ payloadkeys: default: false content: If 'true', enable ROMs. responsekeys: -- key: PasswordChanged - type: +- key: SetFirmwarePassword + type: presence: required - content: If 'true', the password change succeeded. + content: Command result. + subkeys: + - key: PasswordChanged + type: + presence: required + content: If 'true', the password change succeeded. diff --git a/mdm/commands/passcode.firmware.verify.yaml b/mdm/commands/passcode.firmware.verify.yaml index 9dd5b30..11a7e51 100644 --- a/mdm/commands/passcode.firmware.verify.yaml +++ b/mdm/commands/passcode.firmware.verify.yaml @@ -19,7 +19,13 @@ payloadkeys: presence: required content: The password to verify. responsekeys: -- key: PasswordVerified - type: +- key: VerifyFirmwarePassword + type: presence: required - content: If 'true', the provided password matches the firmware password on the device. + content: Command result. + subkeys: + - key: PasswordVerified + type: + presence: required + content: If 'true', the provided password matched the firmware password set for + the device. diff --git a/mdm/commands/passcode.recovery.set.yaml b/mdm/commands/passcode.recovery.set.yaml index 37ccb13..1d3995d 100644 --- a/mdm/commands/passcode.recovery.set.yaml +++ b/mdm/commands/passcode.recovery.set.yaml @@ -11,7 +11,7 @@ payload: requiresdep: false userenrollment: mode: forbidden - content: Sets or clears the recovery lock password (AppleSilicon devices only). + content: Sets or clears the recovery lock password (Apple Silicon devices only). Requires the "Device lock and passcode removal right". payloadkeys: - key: CurrentPassword diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml index 33c400c..380b614 100644 --- a/mdm/commands/profile.install.yaml +++ b/mdm/commands/profile.install.yaml @@ -29,6 +29,10 @@ payload: introduced: '6.0' accessrights: AllowInstallationRemoval supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowInstallationRemoval + supervised: false content: This command allows the host to install a configuration profile. The profile may be encrypted using any installed identity certificate. The profile may also be signed. This command requires the Profile Installation and Removal right. It's diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml index b1b8850..4f9a072 100644 --- a/mdm/commands/profile.list.yaml +++ b/mdm/commands/profile.list.yaml @@ -28,6 +28,10 @@ payload: introduced: '6.0' accessrights: AllowInspection supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowInspection + supervised: false content: This command allows the MDM server to query for the profiles installed on the device. This command requires the Inspect Profile Manifest right. It's supported on the user channel. @@ -129,26 +133,35 @@ responsekeys: - key: PayloadType type: presence: required - content: The type of payload for the profile. The only supported value is - 'Configuration'. + content: The payload type, which each payload domain’s reference page specifies. - key: PayloadVersion type: presence: required - content: The version of the configuration profile as a whole, not of the - individual profiles within it. The value should be '1'. + content: The version of the configuration payload. The value should be '1'. - key: PayloadIdentifier type: presence: required - content: The reverse-DNS-style identifier of the profile; for example, 'com.example.myprofile'. + content: The reverse-DNS-style identifier of the payload; for example, 'com.example.myprofile.payload1'. + - key: PayloadUUID + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + presence: required + content: The unique identifier for the profile. - key: PayloadDisplayName type: presence: optional - content: The human-readable name of the profile. + content: The human-readable name of the payload. - key: PayloadDescription type: presence: optional - content: The description of the profile. + content: The description of the payload. - key: PayloadOrganization type: presence: optional - content: The human-readable name of the organization that provided the profile. + content: The human-readable name of the organization that provided the payload. diff --git a/mdm/commands/profile.provisioning.install.yaml b/mdm/commands/profile.provisioning.install.yaml index 29217b2..93ff48c 100644 --- a/mdm/commands/profile.provisioning.install.yaml +++ b/mdm/commands/profile.provisioning.install.yaml @@ -29,6 +29,10 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInstallationRemoval supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowProvisioningInstallationRemoval + supervised: false content: This command allows the server to install a provisioning profile. No error occurs if the provisioning profile is already installed. This command requires the Provisioning Profile Installation and Removal right. On macOS, this command diff --git a/mdm/commands/profile.provisioning.list.yaml b/mdm/commands/profile.provisioning.list.yaml index 0146dc2..0969bf0 100644 --- a/mdm/commands/profile.provisioning.list.yaml +++ b/mdm/commands/profile.provisioning.list.yaml @@ -29,6 +29,10 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInspection supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowProvisioningInspection + supervised: false content: This command allows the server to retrieve the list of installed provisioning profiles on the device. This command requires the Inspect Provisioning Profiles right. On macOS, this command is for iOS and iPadOS style provisioning profiles diff --git a/mdm/commands/profile.provisioning.remove.yaml b/mdm/commands/profile.provisioning.remove.yaml index 4a238e7..0b5e756 100644 --- a/mdm/commands/profile.provisioning.remove.yaml +++ b/mdm/commands/profile.provisioning.remove.yaml @@ -28,6 +28,10 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInstallationRemoval supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowProvisioningInstallationRemoval + supervised: false content: This command allows the server to remove a provisioning profile. This command requires the Provisioning Profile Installation and Removal right. On macOS, this command is for iOS and iPadOS style provisioning profiles only. diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml index 301388e..5ffdd2a 100644 --- a/mdm/commands/profile.remove.yaml +++ b/mdm/commands/profile.remove.yaml @@ -27,6 +27,10 @@ payload: introduced: '6.0' accessrights: AllowInstallationRemoval supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowInstallationRemoval + supervised: false content: This command allows the server to remove a profile. This command requires the Profile Installation and Removal Right. It's supported in the user channel. payloadkeys: diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 41cabd6..cc0e62b 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -26,6 +26,10 @@ payload: introduced: '6.0' accessrights: AllowSettings supervised: false + watchOS: + introduced: '10.0' + accessrights: AllowSettings + supervised: false content: This command allows the server to set settings on the device. These settings take effect on a one-time basis. The user may still be able to change the settings at a later time. This command requires the ApplySettings right. @@ -50,6 +54,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains wallpaper settings. This setting doesn't support @@ -90,6 +96,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains data roaming settings. This setting requires @@ -121,6 +129,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains voice roaming settings. This setting requires @@ -153,6 +163,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains Personal Hotspot settings. This setting requires @@ -186,6 +198,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains Bluetooth settings. This setting requires @@ -220,6 +234,8 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: AllowAppInstallation + watchOS: + accessrights: AllowAppInstallation type: presence: optional content: A dictionary that contains the configurations to apply to the app. Omit @@ -261,6 +277,8 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: AllowAppInstallation + watchOS: + accessrights: AllowAppInstallation type: presence: optional content: A dictionary that contains the attributes to apply to the app. Omit this @@ -285,28 +303,46 @@ payloadkeys: 7 and later, and tvOS 10.2 and later. subkeys: - key: VPNUUID + supportedOS: + tvOS: + introduced: n/a type: presence: optional - content: A per-app VPN unique identifier for this app. This value is available - in iOS 7 and later, and tvOS 10.2 and later. + content: A per-app VPN unique identifier for this app. Available in iOS 7 + and later. - key: ContentFilterUUID supportedOS: iOS: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional - content: Content Filter UUID assigned to this app. + content: The content filter UUID for this app. Available in iOS 16 and later. - key: DNSProxyUUID supportedOS: iOS: introduced: '16.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional - content: DNS Proxy UUID assigned to this app. + content: The DNS proxy UUID for this app. Available in iOS 16 and later. + - key: RelayUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The relay UUID for this app. Available in iOS 17 and later. - key: AssociatedDomains supportedOS: iOS: @@ -316,7 +352,7 @@ payloadkeys: type: presence: optional content: An array that contains the associated domains to add to this app. - This setting is available in iOS 7 and later, and tvOS 10.2 and later. + Available in iOS 7 and later. subkeys: - key: AssociatedDomain type: @@ -331,8 +367,7 @@ payloadkeys: default: false content: If 'true', perform claimed site association verification directly at the domain, instead of on Apple's servers. Only set this to 'true' for - domains that can't access the internet. This value is available in iOS 14 - and later. + domains that can't access the internet. Available in iOS 14 and later. - key: Removable supportedOS: iOS: @@ -342,23 +377,35 @@ payloadkeys: type: presence: optional default: true - content: If 'false', this app isn't removable while it's managed. This value - is available in iOS 14 and later, and tvOS 14 and later. + content: If 'false', this app isn't removable while it's managed. Available + in iOS 14 and later, and tvOS 14 and later. - key: TapToPayScreenLock supportedOS: iOS: introduced: '16.4' - macOS: - introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false - content: Enabling this setting will require Tap to Pay on iPhone users to - use Face ID or a passcode to unlock their device after every transaction - that requires a customer’s card PIN. Disabling this setting will allow users - to configure this setting on their device based on personal preference. + content: |- + If true, the system require Tap to Pay on iPhone users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If 'false', the user can configure this setting on their device. + Available in iOS 16.4 and later. + - key: CellularSliceUUID + supportedOS: + iOS: + introduced: '17.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: |- + The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”'.' + Available in iOS 17 and later. - key: DeviceName supportedOS: iOS: @@ -373,6 +420,8 @@ payloadkeys: introduced: '10.10' userenrollment: mode: forbidden + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains device name settings. This setting doesn't @@ -399,6 +448,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains hostname settings. This setting doesn't support @@ -492,6 +543,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains settings related to the MDM protocol. This @@ -565,6 +618,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains settings for maximum resident users. Apple @@ -599,6 +654,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains shared device configuration settings. This @@ -680,9 +737,65 @@ payloadkeys: type: presence: optional default: false - content: Whether the language & locale pane will be skipped for new users of - Shared iPad. If 'true', system language & locale will be picked automatically - for the new user. + content: |- + If 'true', the system picks the system language and locale automatically for the new Shared iPad user. + Available in iOS 16.2 and later. + - key: AwaitUserConfiguration + supportedOS: + iOS: + introduced: '17.0' + type: + presence: optional + content: |- + If enabled, the Shared iPad device enters Setup Assistant after the user triggers a login. The MDM server has a chance to configure the device and user. After configuration, a UserConfiguredCommand needs be sent to the user channel to unblock the login. This feature requires the device to have network access during the login process. + Available in iOS 17 and later. + subkeys: + - key: Enabled + type: + presence: required + content: If 'true', the device stops at a Setup Assistant pane after user + login. The user won't be able to use the device until a UserConfiguredCommand + command is received. + - key: PasscodePolicy + supportedOS: + iOS: + introduced: '17.0' + type: + presence: optional + content: A dictionary that contains passcode related policies. + subkeys: + - key: PasscodeLockGracePeriod + type: + presence: optional + rangelist: + - 0 + - 60 + - 300 + - 900 + - 3600 + - 14400 + content: Sets the user preference for the amount of time (in seconds) the + screen must be locked before unlock attempts will require the device passcode. + This should ideally be set when no passcode is set on device. If a passcode + is on device, only more restrictive values than the currently enforced passcode + lock grace period will take effect; any changes to a less restrictive value + will not take effect until the user logs out. This setting will not take + effect if TemporarySessionOnly is set to true (since there is no passcode + for the temporary session). This setting can only be applied on Shared iPads. + devpubs-override: The number of seconds before a locked screen requires the + user to enter the device passcode to unlock it. The minimum value is '0' + seconds and the maximum value is '14400' seconds. If a device has a passcode, + a change to a larger value doesn't take effect until the user logs out or + removes the passcode. For this reason, it's better to set this value before + the user sets a passcode. If the value set is less than one of the known + values the next lowest value will be used. For example a value of 299 will + result in an effective setting of 60. + - key: AutoLockTime + type: + presence: optional + content: Sets the user preference for the amount of time (in seconds) before + a device goes to sleep after being idle. The mininum value for this setting + is 120 seconds. This setting can only be applied on Shared iPad. - key: DiagnosticSubmission supportedOS: iOS: @@ -697,6 +810,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains diagnostic submission settings. This setting @@ -728,6 +843,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains settings for sharing app analytics. This setting @@ -749,6 +866,7 @@ payloadkeys: supportedOS: iOS: introduced: 9.3.2 + deprecated: '17.0' sharedipad: mode: required devicechannel: true @@ -759,6 +877,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains password lock grace period settings. This @@ -774,9 +894,21 @@ payloadkeys: - key: PasscodeLockGracePeriod type: presence: required - content: |- - The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds. - If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. + rangelist: + - 0 + - 60 + - 300 + - 900 + - 3600 + - 14400 + content: The number of seconds before a locked screen requires the user to enter + the device passcode to unlock it. The minimum value is '0' seconds and the + maximum value is '14400' seconds. If a device has a passcode, a change to + a larger value doesn't take effect until the user logs out or removes the + passcode. For this reason, it's better to set this value before the user sets + a passcode. If the value set is less than one of the known values the next + lowest value will be used. For example a value of 299 will result in an effective + setting of 60. - key: TimeZone supportedOS: iOS: @@ -793,6 +925,8 @@ payloadkeys: tvOS: introduced: '14.0' supervised: true + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains time zone settings. This setting is only available @@ -826,6 +960,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: A dictionary that contains software update settings. This setting doesn't @@ -866,6 +1002,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional content: A dictionary that contains accessibility settings. Available in iOS 16 @@ -882,22 +1020,25 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables bold text. + content: If 'true', the system enables bold text. - key: IncreaseContrastEnabled + supportedOS: + watchOS: + introduced: n/a type: presence: optional default: false - content: If 'true', enables increase contrast. + content: If 'true', the system enables increase contrast. - key: ReduceMotionEnabled type: presence: optional default: false - content: If 'true', enables reduced motion. + content: If 'true', the system enables reduced motion. - key: ReduceTransparencyEnabled type: presence: optional default: false - content: If 'true', enables reduced transparency. + content: If 'true', the system enables reduced transparency. - key: TextSize type: presence: optional @@ -915,23 +1056,31 @@ payloadkeys: - 10 - 11 default: 4 - content: The accessibility text size apps that support dynamic text use. 0 is - the smallest value, and 11 is the largest available. + content: The accessibility text size apps that support dynamic text use. '0' + is the smallest value, and '11' is the largest available. - key: TouchAccommodationsEnabled type: presence: optional default: false - content: If true, enables touch accommodations. + content: If 'true', the system enables touch accommodations. - key: VoiceOverEnabled type: presence: optional default: false - content: If true, enables voiceover. + content: If 'true', the system enables voiceover. - key: ZoomEnabled type: presence: optional default: false - content: If true, enables zoom. + content: If 'true', the system enables zoom. + - key: GrayscaleEnabled + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the system enables grayscale display. responsekeys: - key: Settings type: diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index 06527ab..2e4f96a 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -206,7 +206,7 @@ responsekeys: introduced: '16.2' type: presence: required - content: If true, this update is a Rapid Security Response. + content: If 'true', this update is a Rapid Security Response. - key: SupplementalBuildVersion supportedOS: iOS: @@ -217,8 +217,8 @@ responsekeys: introduced: '16.2' type: presence: optional - content: The build version associated with the Rapid Security Response update, - e.g. 13A999. This is always the same as 'build'. + content: The build version for the Rapid Security Response update, for example, + '13A999', which is the same as 'Build'. - key: SupplementalOSVersionExtra supportedOS: iOS: @@ -229,5 +229,5 @@ responsekeys: introduced: '16.2' type: presence: optional - content: The Rapid Security Response OS version suffix, e.g. '(a)'. Only present - if this is a Rapid Security Response update. + content: The Rapid Security Response OS version suffix, for example, '(a)'. + Only present if this is a Rapid Security Response update. diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml index bb9af79..c81fc0f 100644 --- a/mdm/commands/system.update.status.yaml +++ b/mdm/commands/system.update.status.yaml @@ -35,6 +35,8 @@ responsekeys: type: presence: required content: An array of dictionaries that describes the statuses of software updates. + If an activated declaration of configuration.softwareupdate.enforcement.specific + is present on a Mac, OSUpdateStatus will only return non OS update statuses. subkeys: - key: OSUpdateStatusItem type: diff --git a/mdm/commands/user.configured.yaml b/mdm/commands/user.configured.yaml new file mode 100644 index 0000000..3ac79fc --- /dev/null +++ b/mdm/commands/user.configured.yaml @@ -0,0 +1,20 @@ +title: User Configured Command +description: Informs the device that it can continue past Setup Assistant and finish + login. Only works on Shared iPads that have the AwaitUserConfiguration feature enabled. +payload: + requesttype: UserConfigured + supportedOS: + iOS: + introduced: '17.0' + accessrights: None + supervised: true + requiresdep: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: forbidden + content: Informs the device that it can continue past Setup Assistant and finish + login. Only works on Shared iPads that have the AwaitUserConfiguration feature + enabled. diff --git a/mdm/errors/softwareupdate.required.yaml b/mdm/errors/softwareupdate.required.yaml new file mode 100644 index 0000000..12677fa --- /dev/null +++ b/mdm/errors/softwareupdate.required.yaml @@ -0,0 +1,55 @@ +title: Error Code Software Update Required +description: Error response for software update required. +payload: + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + content: |- + The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The response headers + must include a "Content-Type" header indicating whether JSON or XML is being returned. + + This response is returned when a device is enrolling with an MDM server during Setup Assistant, and the MDM server + requires the device to perform a software update before enrollment is allowed and setup can proceed. +payloadkeys: +- key: code + type: + presence: required + rangelist: + - com.apple.softwareupdate.required + content: Indicates that a software update is required before enrollment and setup + can proceed. +- key: description + type: + presence: optional + content: The description of the error. This will only be used by the client for + logging purposes and will not be displayed to the user. +- key: message + type: + presence: optional + content: A description of the error suitable for displaying to the user. If needed, + the client will make a best-effort attempt to display the message, but may not + be able to, due to local conditions. +- key: details + type: + presence: required + content: A dictionary of additional data specific to the error code. + subkeys: + - key: OSVersion + type: + presence: required + content: The OS version that the device is required to update to (e.g., "16.1"). + A supplemental version identifier can be included (e.g., "16.1 (a)"). + - key: BuildVersion + type: + presence: optional + content: The build version that the device is required to update to (e.g., "20A242). + The build version is used for testing during seeding periods. A supplemental + version identifier can be included (e.g., "20A242a"). If the build version is + not consistent with the OS version specified in the 'OSVersion' key, the OS + version will take precedence. diff --git a/mdm/errors/watch.pairing.token.missing.yaml b/mdm/errors/watch.pairing.token.missing.yaml new file mode 100644 index 0000000..3959530 --- /dev/null +++ b/mdm/errors/watch.pairing.token.missing.yaml @@ -0,0 +1,48 @@ +title: Error Code Pairing Token Missing +description: Error response for missing pairing token. +payload: + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: '10.0' + content: |- + The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The response headers + must include a "Content-Type" header indicating whether JSON or XML is being returned. + + This response is returned when an Apple Watch is attempting to enroll in MDM and the watch did not include a pairing token + in the machine info request sent to the server to initiate enrollment. After receiving this response, the watch will fetch + a pairing token from the phone's MDM server via a request to the phone. The watch will then repeat the enrollment request + with the pairing token included. +payloadkeys: +- key: code + type: + presence: required + rangelist: + - com.apple.watch.pairing.token.missing + content: Indicates that pairing token required to enroll a watch is missing. +- key: description + type: + presence: optional + content: The description of the error. This will only be used by the client for + logging purposes and will not be displayed to the user. +- key: message + type: + presence: optional + content: A description of the error suitable for displaying to the user. If needed, + the client will make a best-effort attempt to display the message, but may not + be able to, due to local conditions. +- key: details + type: + presence: required + content: A dictionary of additional data specific to the error code. + subkeys: + - key: security-token + type: + presence: required + content: The security token to pass to the phone's MDM server to use to form the + pairing token. This should be a random UUID string. diff --git a/mdm/profiles/CommonPayloadKeys.yaml b/mdm/profiles/CommonPayloadKeys.yaml index c9daa5d..aa02a28 100644 --- a/mdm/profiles/CommonPayloadKeys.yaml +++ b/mdm/profiles/CommonPayloadKeys.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: false supervised: false allowmanualinstall: true watchOS: introduced: '1.0' + multiple: false allowmanualinstall: true payloadkeys: - key: PayloadIdentifier diff --git a/mdm/profiles/GlobalPreferences.yaml b/mdm/profiles/GlobalPreferences.yaml index 5eac179..16c263f 100644 --- a/mdm/profiles/GlobalPreferences.yaml +++ b/mdm/profiles/GlobalPreferences.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index 3164c8b..cd115d1 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: false supervised: false allowmanualinstall: true watchOS: introduced: '1.0' + multiple: false allowmanualinstall: true payloadkeys: - key: PayloadIdentifier @@ -104,10 +108,6 @@ payloadkeys: supervised: true userenrollment: mode: forbidden - macOS: - supervised: true - userenrollment: - mode: forbidden tvOS: supervised: true watchOS: diff --git a/mdm/profiles/com.apple.ADCertificate.managed.yaml b/mdm/profiles/com.apple.ADCertificate.managed.yaml index 02239db..02c723e 100644 --- a/mdm/profiles/com.apple.ADCertificate.managed.yaml +++ b/mdm/profiles/com.apple.ADCertificate.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml index 3cfa551..3ad7fbf 100644 --- a/mdm/profiles/com.apple.AIM.account.yaml +++ b/mdm/profiles/com.apple.AIM.account.yaml @@ -7,6 +7,7 @@ payload: introduced: '10.7' deprecated: '10.13' removed: '10.14' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml index b7cd5dd..35d8cd4 100644 --- a/mdm/profiles/com.apple.AssetCache.managed.yaml +++ b/mdm/profiles/com.apple.AssetCache.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.13.4 + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.Dictionary.yaml b/mdm/profiles/com.apple.Dictionary.yaml index b260d18..4895bf3 100644 --- a/mdm/profiles/com.apple.Dictionary.yaml +++ b/mdm/profiles/com.apple.Dictionary.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.DirectoryService.managed.yaml b/mdm/profiles/com.apple.DirectoryService.managed.yaml index df9a3e0..5e127b0 100644 --- a/mdm/profiles/com.apple.DirectoryService.managed.yaml +++ b/mdm/profiles/com.apple.DirectoryService.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.8' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml index de60d43..20d5321 100644 --- a/mdm/profiles/com.apple.DiscRecording.yaml +++ b/mdm/profiles/com.apple.DiscRecording.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(Accounts).yaml b/mdm/profiles/com.apple.MCX(Accounts).yaml index 9e0844d..cf15d1f 100644 --- a/mdm/profiles/com.apple.MCX(Accounts).yaml +++ b/mdm/profiles/com.apple.MCX(Accounts).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(EnergySaver).yaml b/mdm/profiles/com.apple.MCX(EnergySaver).yaml index e3e875b..7668c05 100644 --- a/mdm/profiles/com.apple.MCX(EnergySaver).yaml +++ b/mdm/profiles/com.apple.MCX(EnergySaver).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(FileVault2).yaml b/mdm/profiles/com.apple.MCX(FileVault2).yaml index 7f94c87..6d1753e 100644 --- a/mdm/profiles/com.apple.MCX(FileVault2).yaml +++ b/mdm/profiles/com.apple.MCX(FileVault2).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(Mobililty).yaml b/mdm/profiles/com.apple.MCX(Mobililty).yaml index f1ed13f..cf8fd21 100644 --- a/mdm/profiles/com.apple.MCX(Mobililty).yaml +++ b/mdm/profiles/com.apple.MCX(Mobililty).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml index 4d11e4f..d1f352b 100644 --- a/mdm/profiles/com.apple.MCX(TimeServer).yaml +++ b/mdm/profiles/com.apple.MCX(TimeServer).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.12.4 + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.MCX(WiFi).yaml b/mdm/profiles/com.apple.MCX(WiFi).yaml index 6c3463e..0cf12da 100644 --- a/mdm/profiles/com.apple.MCX(WiFi).yaml +++ b/mdm/profiles/com.apple.MCX(WiFi).yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -20,7 +21,7 @@ payloadkeys: type: presence: optional default: false - content: If YES, requires administrator authorization to enable IBSS. + content: If 'true', requires administrator authorization to enable IBSS. - key: RequireAdminForAirPortNetworkChange supportedOS: macOS: @@ -28,7 +29,7 @@ payloadkeys: type: presence: optional default: false - content: If YES, requires administrator authorization for network changes. + content: If 'true', requires administrator authorization for network changes. - key: RequireAdminToTurnAirPortOnOff supportedOS: macOS: @@ -36,4 +37,4 @@ payloadkeys: type: presence: optional default: false - content: If YES, requires administrator authorization to turn Wi-Fi on or off. + content: If 'true', requires administrator authorization to turn Wi-Fi on or off. diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml index 63a6098..4c004da 100644 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: false requiresdep: false @@ -93,3 +94,15 @@ payloadkeys: presence: optional default: false content: If 'true', prevents requests for enabling FileVault at user logout time. +- key: ForceEnableInSetupAssistant + supportedOS: + macOS: + introduced: '14.0' + requiresdep: true + allowmanualinstall: false + type: + presence: optional + default: false + content: |- + If 'true', and this payload is installed after enrolling with MDM in Setup Assistant, it requests Setup Assistant to enable FileVault at setup time. + To use this, enable the Await Device Configured DEP configuration option, send this profile with this key set, before sending the DeviceConfigured command. An admin SecureToken user is required, otherwise the FileVault pane does not appear. diff --git a/mdm/profiles/com.apple.MCX.TimeMachine.yaml b/mdm/profiles/com.apple.MCX.TimeMachine.yaml index e299b71..72fe674 100644 --- a/mdm/profiles/com.apple.MCX.TimeMachine.yaml +++ b/mdm/profiles/com.apple.MCX.TimeMachine.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false @@ -21,7 +22,7 @@ payloadkeys: type: presence: optional default: false - content: If true, backs up only the startup volume by default. + content: If 'true', backs up only the startup volume by default. - key: BackupDestURL type: presence: required diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml index 3294c08..1365ff7 100644 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.NSExtension.yaml b/mdm/profiles/com.apple.NSExtension.yaml index e7d28e2..7506e50 100644 --- a/mdm/profiles/com.apple.NSExtension.yaml +++ b/mdm/profiles/com.apple.NSExtension.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.13' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml index 2d6f206..a1aaa7a 100644 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '14.0' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden macOS: introduced: '10.12' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -32,7 +34,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the Apple ID setup window. + content: If 'true', the system skips the Apple ID setup window. - key: SkipSiriSetup supportedOS: iOS: @@ -40,7 +42,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the Siri setup window. + content: If 'true', the system skips the Siri setup window. - key: SkipPrivacySetup supportedOS: iOS: @@ -50,7 +52,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the Privacy consent window. + content: If 'true', the system skips the Privacy consent window. - key: SkipiCloudStorageSetup supportedOS: iOS: @@ -60,7 +62,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the iCloud Storage window. + content: If 'true', the system skips the iCloud Storage window. - key: SkipTrueTone supportedOS: iOS: @@ -70,7 +72,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the True Tone Display window. + content: If 'true', the system skips the True Tone Display window. - key: SkipAppearance supportedOS: iOS: @@ -80,7 +82,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', skips the Choose Your Look window. + content: If 'true', the system skips the Choose Your Look window. - key: SkipTouchIDSetup supportedOS: iOS: @@ -90,7 +92,7 @@ payloadkeys: type: presence: optional default: false - content: If true, skips the Touch ID setup window. + content: If 'true', the system skips the Touch ID setup window. - key: SkipScreenTime supportedOS: iOS: @@ -100,7 +102,7 @@ payloadkeys: type: presence: optional default: false - content: If true, skips the Screen Time window. + content: If 'true', the system skips the Screen Time window. - key: SkipAccessibility supportedOS: iOS: @@ -110,7 +112,7 @@ payloadkeys: type: presence: optional default: false - content: Skips Accessibility window + content: If 'true', the system skips the Accessibility window. - key: SkipSetupItems supportedOS: iOS: @@ -134,4 +136,4 @@ payloadkeys: type: presence: optional default: false - content: Skips Unlock With Apple Watch window + content: If 'true', the system skips the Unlock With Apple Watch window. diff --git a/mdm/profiles/com.apple.ShareKitHelper.yaml b/mdm/profiles/com.apple.ShareKitHelper.yaml index c8e3653..dd3cb6e 100644 --- a/mdm/profiles/com.apple.ShareKitHelper.yaml +++ b/mdm/profiles/com.apple.ShareKitHelper.yaml @@ -6,6 +6,7 @@ payload: macOS: introduced: '10.9' deprecated: '10.12' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.SoftwareUpdate.yaml b/mdm/profiles/com.apple.SoftwareUpdate.yaml index 046d913..338dcf6 100644 --- a/mdm/profiles/com.apple.SoftwareUpdate.yaml +++ b/mdm/profiles/com.apple.SoftwareUpdate.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.SystemConfiguration.yaml b/mdm/profiles/com.apple.SystemConfiguration.yaml index 206c8c6..18e7d1b 100644 --- a/mdm/profiles/com.apple.SystemConfiguration.yaml +++ b/mdm/profiles/com.apple.SystemConfiguration.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index f95e40b..31b89bd 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.14' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -46,7 +47,7 @@ payloadkeys: - key: CodeRequirement type: presence: required - content: Obtained via the command ''codesign –display -r -''. + content: Obtained via the command ''codesign -display -r -''. - key: StaticCode type: presence: optional @@ -269,3 +270,12 @@ payloadkeys: 13 and later. subkeytype: Identity subkeys: *id001 + - key: SystemPolicyAppData + supportedOS: + macOS: + introduced: '14.0' + type: + presence: optional + content: Allows the application to access data of other apps. + subkeytype: Identity + subkeys: *id001 diff --git a/mdm/profiles/com.apple.airplay.security.yaml b/mdm/profiles/com.apple.airplay.security.yaml index 1268292..2da8655 100644 --- a/mdm/profiles/com.apple.airplay.security.yaml +++ b/mdm/profiles/com.apple.airplay.security.yaml @@ -5,6 +5,7 @@ payload: supportedOS: tvOS: introduced: '11.0' + multiple: false supervised: false allowmanualinstall: true content: Manages the AirPlay Security settings on Apple TV (Settings > AirPlay > diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml index 2bbf642..ab0eb52 100644 --- a/mdm/profiles/com.apple.airplay.yaml +++ b/mdm/profiles/com.apple.airplay.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.10' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml index b5be55b..a40492a 100644 --- a/mdm/profiles/com.apple.airprint.yaml +++ b/mdm/profiles/com.apple.airprint.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.10' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.apn.managed.yaml b/mdm/profiles/com.apple.apn.managed.yaml index 2035833..d9e768f 100644 --- a/mdm/profiles/com.apple.apn.managed.yaml +++ b/mdm/profiles/com.apple.apn.managed.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '4.0' deprecated: '7.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.app.lock.yaml b/mdm/profiles/com.apple.app.lock.yaml index a05eeaf..d90a588 100644 --- a/mdm/profiles/com.apple.app.lock.yaml +++ b/mdm/profiles/com.apple.app.lock.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '6.0' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden tvOS: introduced: '10.2' + multiple: false supervised: true allowmanualinstall: true payloadkeys: diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml index 3177ecd..33438db 100644 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index 819fc92..d93ba17 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,6 +26,12 @@ payload: mode: allowed tvOS: introduced: '6.1' + multiple: true + supervised: false + allowmanualinstall: true + watchOS: + introduced: '10.0' + multiple: true supervised: false allowmanualinstall: true payloadkeys: @@ -35,14 +43,19 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '14.0' + userenrollment: + mode: forbidden tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true - content: If 'false', disables account modification. Requires a supervised device. - Available in iOS 7 and later. + content: |- + If 'false', disables account modification. Requires a supervised device. + Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later. - key: allowActivityContinuation title: Allow Handoff supportedOS: @@ -56,11 +69,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables activity continuation. Available in iOS 8 and later, - and macOS 10.15 and later. + and macOS 10.15 and later. In a future release, this restriction will begin requiring + supervision and will apply to personal Apple IDs only. - key: allowAddingGameCenterFriends title: Allow Adding Game Center Friends supportedOS: @@ -75,6 +91,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -93,6 +111,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -110,6 +130,8 @@ payloadkeys: tvOS: introduced: '10.2' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true @@ -127,6 +149,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -144,6 +168,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -161,6 +187,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -179,6 +207,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -196,6 +226,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -214,13 +246,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true content: If 'false', disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this restriction requires - a supervised device. Available in iOS 4 and later. + a supervised device. Available in iOS 4 and later and watchOS 10 and later. - key: allowApplePersonalizedAdvertising supportedOS: iOS: @@ -233,6 +267,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -250,25 +286,50 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true content: If 'false', disables removal of apps from an iOS device. Requires a supervised - device. Available in iOS 4.2.1 and later. + device. Available in iOS 4.2.1 and later and watchOS 10 and later. +- key: allowARDRemoteManagementModification + title: Allow modifying Remote Management Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying the Remote Management Sharing setting in System Settings. + Available in macOS 14 and later. - key: allowAssistant title: Allow Siri supportedOS: iOS: introduced: '5.0' macOS: - introduced: n/a + introduced: '14.0' + userenrollment: + mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true - content: If 'false', disables Siri. Available in iOS 5 and later. Also available - for user enrollment. + content: If 'false', disables Siri or Siri settings. Available in iOS 5 and later, + and macOS 14.0 and later. Also available on iOS for user enrollment. - key: allowAssistantUserGeneratedContent supportedOS: iOS: @@ -280,11 +341,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true content: If 'false', prevents Siri from querying user-generated content from the - web. Requires a supervised device. Available in iOS 7 and later. + web. Requires a supervised device. Available in iOS 7 and later and watchOS 10 + and later. - key: allowAssistantWhileLocked title: Allow Siri While Locked supportedOS: @@ -312,6 +376,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -329,12 +395,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true content: If 'false', prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps. Requires a supervised device. - Available in iOS 9 and later. + Available in iOS 9 and later and watchOS 10 and later. - key: allowAutomaticScreenSaver supportedOS: iOS: @@ -344,6 +412,8 @@ payloadkeys: tvOS: introduced: '15.4' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true @@ -361,11 +431,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disallows auto unlock. Available in macOS 10.12 and later, - and iOS 14.5 and later. + and iOS 14.5 and later. This restriction will require supervision in a future + release. - key: allowBluetoothModification title: Allow modifying Bluetooth settings supportedOS: @@ -380,11 +453,32 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', prevents modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later, and macOS 13.0 and later. +- key: allowBluetoothSharingModification + title: Allow modifying Bluetooth Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying Bluetooth setting in System Settings. + Available in macOS 14 and later. - key: allowBookstore title: Allow Bookstore supportedOS: @@ -397,6 +491,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -413,11 +509,15 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + deprecated: '17.0' + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', the user can't download Apple Books media that is tagged as - erotica. Available in iOS 6 and later, and tvOS 11.3 and later. + erotica. Available in iOS 6 and later, and tvOS 11.3 and later. This restriction + will require supervision in a future release. - key: allowCamera title: Allow Camera Use supportedOS: @@ -431,6 +531,9 @@ payloadkeys: userenrollment: mode: forbidden tvOS: + introduced: '17.0' + supervised: false + watchOS: introduced: n/a type: presence: optional @@ -450,6 +553,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -467,6 +572,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -483,6 +590,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -500,6 +609,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -516,6 +627,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -531,6 +644,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -546,6 +661,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -567,12 +684,33 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables document and key-value syncing to iCloud. As of iOS - 13, this restriction requires a supervised device and shared iPads don't support - it. Available in iOS 5 and later, and macOS 10.11 and later. + 13, this restriction requires a supervised device. Available in iOS 5 and later, + and macOS 10.11 and later. In a future release, this restriction will apply only + to personal Apple IDs and will have no effect on Managed Apple IDs. +- key: allowCloudFreeform + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disallows iCloud Freeform services. + Available in macOS 14 and later. - key: allowCloudKeychainSync supportedOS: iOS: @@ -586,6 +724,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -602,6 +742,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -617,6 +759,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -635,13 +779,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables iCloud Photo Library, including iCloud Shared Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in iOS 9 and later, and macOS 10.12 - and later. + and later. In a future release, this restriction will begin requiring supervision + and will apply to personal Apple IDs only. - key: allowCloudPrivateRelay supportedOS: iOS: @@ -655,12 +802,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables iCloud Private Relay. For iOS devices, this restriction requires a supervised device. Available in macOS 12 and later, and iOS 15 and - later. + later. In a future release, this restriction will apply only to personal Apple + IDs and will have no effect on Managed Apple IDs. - key: allowCloudReminders supportedOS: iOS: @@ -671,6 +821,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -687,11 +839,12 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true - content: If 'false', disables content caching. As of 10.13.4 this is included in - the content caching payload. Available in macOS 10.13 and later. + content: If 'false', disables content caching. Available in macOS 10.13 and later. - key: allowContinuousPathKeyboard title: Allow Continuous Path Keyboard supportedOS: @@ -704,6 +857,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -723,6 +878,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -737,15 +894,20 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '14.0' + userenrollment: + mode: forbidden tvOS: introduced: '11.0' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true - content: If 'false', prevents the user from changing the device name. Requires a - supervised device. Available in iOS 9 and later, and tvOS 11.0 and later. + content: |- + If 'false', prevents the user from changing the device name. Requires a supervised device. + Available in iOS 9 and later, macOS 14 and later, and tvOS 11.0 and later. - key: allowDeviceSleep title: Allow Device Sleep supportedOS: @@ -756,6 +918,8 @@ payloadkeys: tvOS: introduced: '13.0' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true @@ -788,6 +952,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -808,6 +974,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -825,6 +993,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -842,6 +1012,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -860,6 +1032,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -874,6 +1048,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -893,6 +1069,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -911,6 +1089,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -929,13 +1109,35 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised - device. Available in iOS 4 and later, and tvOS 11.3 and later. + device. Available in iOS 4 and later, and tvOS 11.3 and later. This restriction + will require supervision in a future release. +- key: allowFileSharingModification + title: Allow modifying File Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying File Sharing setting in System Settings. + Available in macOS 14 and later. - key: allowFilesNetworkDriveAccess supportedOS: iOS: @@ -947,6 +1149,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -963,6 +1167,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -981,6 +1187,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -999,6 +1207,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1015,6 +1225,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1033,11 +1245,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', prevents Touch ID or Face ID from unlocking a device. Available - in iOS 7 and later, and macOS 10.12.4 and later. + in iOS 7 and later, and macOS 10.12.4 and later. This restriction will require + supervision in a future release. - key: allowFingerprintModification title: Allow Modifying Touch ID Fingerprints supportedOS: @@ -1047,14 +1262,18 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '14.0' + userenrollment: + mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', prevents the user from modifying Touch ID or Face ID. Requires - a supervised device. Available in iOS 8.3 and later. + a supervised device. Available in iOS 8.3 and later, and macOS 14 and later. - key: allowGameCenter title: Allow Game Center supportedOS: @@ -1069,6 +1288,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1086,11 +1307,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables global background fetch activity when an iOS phone - is roaming. Available in iOS 4 and later. + is roaming. Available in iOS 4 and later. This restriction will require supervision + in a future release. - key: allowHostPairing supportedOS: iOS: @@ -1102,6 +1326,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1120,10 +1346,54 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', prohibits in-app purchasing. Available in iOS 4 and later. + This restriction will require supervision in a future release. +- key: allowInternetSharingModification + title: Allow modifying Internet Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying Internet Sharing setting in System Settings. + Available in macOS 14 and later. +- key: allowiPhoneWidgetsOnMac + title: Allow iPhone widget on Mac + supportedOS: + iOS: + introduced: '17.0' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disallows iPhone widgets on a Mac that has signed in the same AppleID for iCloud. Supervised only. + Available on iOS 17 and later. - key: allowiTunes title: Allow use of iTunes supportedOS: @@ -1136,6 +1406,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1152,6 +1424,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1169,6 +1443,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1187,6 +1463,8 @@ payloadkeys: tvOS: introduced: '15.0' supervised: true + watchOS: + introduced: n/a type: presence: optional content: If present, this property allows only bundle IDs listed in the array to @@ -1197,6 +1475,25 @@ payloadkeys: - key: appAllowlistedBundleID title: Allow Listed App type: +- key: allowLocalUserCreation + title: Allow creating users in System Settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents creating new users in System Settings. + Available in macOS 14 and later. - key: allowLockScreenControlCenter supportedOS: iOS: @@ -1205,6 +1502,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1232,6 +1531,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1248,6 +1549,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1262,6 +1565,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1279,6 +1584,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -1300,6 +1607,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1319,6 +1628,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1337,6 +1648,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1353,6 +1666,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1370,6 +1685,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1384,6 +1701,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1398,6 +1717,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1414,6 +1735,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1431,6 +1754,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1448,6 +1773,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1467,6 +1794,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1486,6 +1815,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1508,6 +1839,8 @@ payloadkeys: tvOS: introduced: '12.0' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true @@ -1527,6 +1860,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1545,6 +1880,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1555,12 +1892,15 @@ payloadkeys: supportedOS: iOS: introduced: '5.0' + deprecated: '17.0' userenrollment: mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1576,6 +1916,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1593,11 +1935,32 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables predictive keyboards. Requires a supervised device. Available in iOS 8.1.3 and later. +- key: allowPrinterSharingModification + title: Allow modifying Printer Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying Printer Sharing setting in System Settings. + Available in macOS 14 and later. - key: allowProximitySetupToNewDevice supportedOS: iOS: @@ -1609,6 +1972,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1626,6 +1991,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1645,6 +2012,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1663,10 +2032,31 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', prohibits removal of rapid security responses. +- key: allowRemoteAppleEventsModification + title: Allow modifying Remote Apple Events Sharing setting + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modifying Remote Apple Events Sharing setting in System Settings. + Available in macOS 14 and later. - key: allowRemoteAppPairing title: Allow pairing with Remote app supportedOS: @@ -1677,6 +2067,8 @@ payloadkeys: tvOS: introduced: '10.2' supervised: true + watchOS: + introduced: n/a type: presence: optional default: true @@ -1691,6 +2083,8 @@ payloadkeys: introduced: 10.14.4 tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1711,6 +2105,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1744,6 +2140,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1760,10 +2158,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables Shared Photo Stream. Available in iOS 6 and later. + This restriction will require supervision in a future release. - key: allowSpellCheck title: Allow Spell Check supportedOS: @@ -1776,6 +2177,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1794,11 +2197,33 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables Spotlight Internet search results in Siri Suggestions. - Available in iOS 8 and later, and macOS 10.11 and later. + Available in iOS 8 and later, and macOS 10.11 and later. This restriction will + require supervision in a future release. +- key: allowStartupDiskModification + title: Allow modifying Startup Disk settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modification of Startup Disk setting in System Settings. + Available in macOS 14 and later. - key: allowSystemAppRemoval supportedOS: iOS: @@ -1810,11 +2235,32 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', disables the removal of system apps from the device. Requires a supervised device. Available in iOS 11 and later. +- key: allowTimeMachineBackup + title: Allow modifying Time Machine settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents modification of Time Machine settings in System Settings. + Available in macOS 14 and later. - key: allowUIAppInstallation title: Allow App Installation from App Store supportedOS: @@ -1827,12 +2273,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + supervised: true type: presence: optional default: true content: |- If 'false', disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. - In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later. + In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later and watchOS 10 and later. - key: allowUIConfigurationProfileInstallation title: Allow UI Configuration Profile Installation supportedOS: @@ -1847,6 +2295,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1864,6 +2314,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1878,6 +2330,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -1896,6 +2350,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -1912,6 +2368,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1931,13 +2389,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: |- If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. - If the system has Lockdown mode enabled, the system ignores this value. - Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. + This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -1950,6 +2409,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1960,12 +2421,15 @@ payloadkeys: supportedOS: iOS: introduced: '4.0' + deprecated: '17.0' userenrollment: mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -1983,6 +2447,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -2002,6 +2468,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -2018,6 +2486,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: If present, allows apps identified by the bundle IDs listed in the array @@ -2042,6 +2512,8 @@ payloadkeys: introduced: '11.0' deprecated: '15.0' supervised: true + watchOS: + introduced: n/a type: presence: optional content: Use blockedAppBundleIDs instead. @@ -2062,6 +2534,8 @@ payloadkeys: tvOS: introduced: '15.0' supervised: true + watchOS: + introduced: n/a type: presence: optional content: |- @@ -2081,6 +2555,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: 172800 @@ -2101,6 +2577,8 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + watchOS: + introduced: n/a type: presence: optional range: @@ -2121,6 +2599,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional range: @@ -2140,6 +2620,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional range: @@ -2159,6 +2641,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional range: @@ -2177,6 +2661,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2190,6 +2676,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '6.2' + watchOS: + introduced: n/a type: presence: optional default: false @@ -2204,6 +2692,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2222,6 +2712,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2241,11 +2733,13 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false content: If 'true', forces the use of the profanity filter assistant. Requires a - supervised device. Available in iOS 11 and later. + supervised device. Available in iOS 11 and later and macOS 10.13 and later. - key: forceAuthenticationBeforeAutoFill supportedOS: iOS: @@ -2257,6 +2751,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2276,6 +2772,8 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + watchOS: + introduced: n/a type: presence: optional default: false @@ -2298,6 +2796,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2318,6 +2818,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2338,6 +2840,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2358,6 +2862,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2376,6 +2882,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2394,6 +2902,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2414,6 +2924,8 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + watchOS: + introduced: n/a type: presence: optional default: false @@ -2430,6 +2942,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2440,12 +2954,15 @@ payloadkeys: supportedOS: iOS: introduced: '6.0' + deprecated: '17.0' userenrollment: mode: forbidden macOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2461,6 +2978,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2479,7 +2998,8 @@ payloadkeys: presence: optional default: false content: If 'true', disables connections to Siri servers for the purposes of dictation. - Available in iOS 14.5 and later. Also available for user enrollment. + Available in iOS 14.5 and later, macOS 14 and later, and watchOS 10 and later. + Also available for user enrollment. - key: forceOnDeviceOnlyTranslation supportedOS: iOS: @@ -2519,6 +3039,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2537,6 +3059,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2555,6 +3079,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2570,6 +3096,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + watchOS: + introduced: n/a type: presence: optional range: @@ -2585,6 +3113,7 @@ payloadkeys: * 200: 9+ * 100: 4+ * 0: None + This restriction will require supervision in a future release. - key: ratingMovies title: Movies Ranking Number supportedOS: @@ -2596,6 +3125,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + watchOS: + introduced: n/a type: presence: optional range: @@ -2612,8 +3143,12 @@ payloadkeys: * 200: PG * 100: G * 0: None + This restriction will require supervision in a future release. - key: ratingRegion title: Region Code + supportedOS: + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -2639,6 +3174,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + watchOS: + introduced: n/a type: presence: optional range: @@ -2658,6 +3195,7 @@ payloadkeys: * 200: TV-Y7 * 100: TV-Y * 0: None + This restriction will require supervision in a future release. - key: requireManagedPasteboard supportedOS: iOS: @@ -2666,6 +3204,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2682,6 +3222,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -2695,6 +3237,7 @@ payloadkeys: '0': Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting. '1' or '1.5': Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, although the user can enable it. '2': Prevent Cross-Site Tracking is enabled and Block All Cookies is not enabled. The user can toggle either setting. + This restriction will require supervision in a future release. - key: safariAllowAutoFill title: Allow AutoFill in Safari supportedOS: @@ -2709,6 +3252,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -2726,10 +3271,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', Safari doesn't execute JavaScript. Available in iOS 4 and later. + This restriction will require supervision in a future release. - key: safariAllowPopups title: Allow Pop-ups supportedOS: @@ -2741,11 +3289,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true content: If 'false', Safari doesn't allow pop-up windows. Available in iOS 4 and - later. + later. This restriction will require supervision in a future release. - key: safariForceFraudWarning title: Enable Fraud Warning supportedOS: @@ -2755,6 +3305,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -2775,6 +3327,8 @@ payloadkeys: introduced: '11.0' deprecated: '15.0' supervised: true + watchOS: + introduced: n/a type: presence: optional content: Use 'allowListedAppBundleIDs' instead. diff --git a/mdm/profiles/com.apple.appstore.yaml b/mdm/profiles/com.apple.appstore.yaml index a3ac455..d2051e2 100644 --- a/mdm/profiles/com.apple.appstore.yaml +++ b/mdm/profiles/com.apple.appstore.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.asam.yaml b/mdm/profiles/com.apple.asam.yaml index 34c6b27..a704bbd 100644 --- a/mdm/profiles/com.apple.asam.yaml +++ b/mdm/profiles/com.apple.asam.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.13.4 + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml index 2460f98..70dfdf0 100644 --- a/mdm/profiles/com.apple.associated-domains.yaml +++ b/mdm/profiles/com.apple.associated-domains.yaml @@ -6,6 +6,7 @@ payload: supportedOS: macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.caldav.account.yaml b/mdm/profiles/com.apple.caldav.account.yaml index b9c9556..479847b 100644 --- a/mdm/profiles/com.apple.caldav.account.yaml +++ b/mdm/profiles/com.apple.caldav.account.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -16,6 +17,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.carddav.account.yaml b/mdm/profiles/com.apple.carddav.account.yaml index 9f99a66..4292270 100644 --- a/mdm/profiles/com.apple.carddav.account.yaml +++ b/mdm/profiles/com.apple.carddav.account.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -16,6 +17,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index 5790a5b..e09ea7b 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden watchOS: introduced: '3.2' + multiple: false allowmanualinstall: true content: |- This payload cannot be installed if an APN payload is already installed. diff --git a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml new file mode 100644 index 0000000..5e5f6fa --- /dev/null +++ b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml @@ -0,0 +1,73 @@ +title: Cellular Private Network +description: Cellular Private Network Settings and Device Configuration +payload: + payloadtype: com.apple.cellularprivatenetwork.managed + supportedOS: + iOS: + introduced: '17.0' + multiple: false + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + content: Payload can be used to provide device info on private network deployments + including geographical location, preference over wifi, and network deployment + type. +payloadkeys: +- key: Geofences + type: + presence: optional + content: A list of up to 1000 geofences for private networks. Geofencing is only + used on iPhone. + subkeys: + - key: GeofenceItem + type: + subkeys: + - key: Longitude + type: + presence: required + range: + min: -180.0 + max: 180.0 + content: The longitude of the geofence. + - key: Latitude + type: + presence: required + range: + min: -90.0 + max: 90.0 + content: The latitude of the geofence. + - key: Radius + type: + presence: required + range: + min: 100.0 + max: 6500.0 + content: Specifies the radius of the geofence in meters. Set this value slightly + greater than the private cellular network coverage area. + - key: GeofenceId + type: + presence: required + content: A geofence identifier that's unique within a list of geofences. +- key: DataSetName + type: + presence: required + content: The name of the private network configuration data set. +- key: VersionNumber + type: + presence: required + content: The version number of this dataset that the system uses to track updates. +- key: CellularDataPreferred + type: + presence: optional + default: false + content: Set to 'true' to prefer this private network over Wi-Fi. +- key: EnableNRStandalone + type: + presence: optional + default: false + content: Set to 'true' if this private network is NR Standalone. diff --git a/mdm/profiles/com.apple.conferenceroomdisplay.yaml b/mdm/profiles/com.apple.conferenceroomdisplay.yaml index 20cf5ce..ce1b04c 100644 --- a/mdm/profiles/com.apple.conferenceroomdisplay.yaml +++ b/mdm/profiles/com.apple.conferenceroomdisplay.yaml @@ -6,6 +6,7 @@ payload: supportedOS: tvOS: introduced: '10.2' + multiple: false supervised: true allowmanualinstall: true content: Configures an Apple TV to enter Conference Room Display mode, and restrictions diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml index f5cfe22..6cb74ea 100644 --- a/mdm/profiles/com.apple.configurationprofile.identification.yaml +++ b/mdm/profiles/com.apple.configurationprofile.identification.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.dashboard.yaml b/mdm/profiles/com.apple.dashboard.yaml index 3cdfc50..283844c 100644 --- a/mdm/profiles/com.apple.dashboard.yaml +++ b/mdm/profiles/com.apple.dashboard.yaml @@ -7,6 +7,7 @@ payload: introduced: '10.7' deprecated: '10.15' removed: '10.15' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.declarations.yaml b/mdm/profiles/com.apple.declarations.yaml new file mode 100644 index 0000000..4b5b998 --- /dev/null +++ b/mdm/profiles/com.apple.declarations.yaml @@ -0,0 +1,51 @@ +title: Declarations +description: Declarations +payload: + payloadtype: com.apple.declarations + supportedOS: + iOS: + introduced: '17.0' + multiple: true + supervised: false + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '14.0' + multiple: true + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + tvOS: + introduced: '17.0' + multiple: true + supervised: false + allowmanualinstall: true + watchOS: + introduced: '10.0' + multiple: true + supervised: false + allowmanualinstall: true + content: This profile applies a set of declarations to the device via the Settings + app. This allows manual installations of declarations in cases where an MDM enrollment + is not present. This profile can only be manually installed, and cannot be installed + via an MDM server. +payloadkeys: +- key: Declarations + title: Declarations + type: + presence: required + content: The set of declarations to apply. The items in this array are Base64-encoded + data representations of the declaration JSON data. + subkeys: + - key: DeclarationsItem + title: Declarations Content Item + type: + presence: required + content: An item in the declarations list diff --git a/mdm/profiles/com.apple.desktop.yaml b/mdm/profiles/com.apple.desktop.yaml index 0af97ce..db24613 100644 --- a/mdm/profiles/com.apple.desktop.yaml +++ b/mdm/profiles/com.apple.desktop.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.10' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml index a5aac9b..c0602dc 100644 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '11.0' + multiple: false supervised: false allowmanualinstall: false sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.15' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index aca726b..aea65ce 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '14.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden macOS: introduced: '11.0' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -185,3 +187,15 @@ payloadkeys: default: false content: If 'true', prohibits users from disabling DNS settings. This key is only available on supervised devices. +- key: PayloadCertificateUUID + title: Certificate UUID + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID that points to an identity certificate payload. The system uses + this identity to authenticate the user to the DNS resolver. diff --git a/mdm/profiles/com.apple.dock.yaml b/mdm/profiles/com.apple.dock.yaml index cd1b0c2..d9139dc 100644 --- a/mdm/profiles/com.apple.dock.yaml +++ b/mdm/profiles/com.apple.dock.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index 91281ca..ea34136 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '8.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden macOS: introduced: '10.10' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml index 4a9c4a6..7ceba61 100644 --- a/mdm/profiles/com.apple.eas.account.yaml +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml index 3433883..828b351 100644 --- a/mdm/profiles/com.apple.education.yaml +++ b/mdm/profiles/com.apple.education.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '9.3' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.14' + multiple: false devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.ews.account.yaml b/mdm/profiles/com.apple.ews.account.yaml index cc581be..38f4295 100644 --- a/mdm/profiles/com.apple.ews.account.yaml +++ b/mdm/profiles/com.apple.ews.account.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index 7d338c1..8706802 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '13.0' + multiple: true supervised: false allowmanualinstall: false sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index 0e1e383..9c68a9b 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '13.0' + multiple: true supervised: false allowmanualinstall: false sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -60,7 +62,7 @@ payloadkeys: - key: ANY type: presence: optional - content: Keys and values to be passed to the app extension. + content: Keys and values to pass to the app extension. - key: URLs type: presence: optional @@ -123,6 +125,7 @@ payloadkeys: introduced: n/a macOS: introduced: '13.0' + deprecated: '14.0' type: presence: optional rangelist: @@ -130,7 +133,7 @@ payloadkeys: - UserSecureEnclaveKey content: |- The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. - Available in macOS 13 and later. + Available in macOS 13 and later and deprecated in macOS 14. - key: RegistrationToken supportedOS: iOS: @@ -140,5 +143,128 @@ payloadkeys: type: presence: optional content: |- - The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'AuthenticationMethod' isn't empty. + The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'PlatformSSO' 'AuthenticationMethod' isn't empty. Available in macOS 13 and later. +- key: PlatformSSO + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + type: + presence: optional + content: The dictionary to configure Platform SSO. + subkeys: + - key: AuthenticationMethod + type: + presence: optional + rangelist: + - Password + - UserSecureEnclaveKey + - SmartCard + content: The Platform SSO authentication method to use with the extension. Requires + that the SSO Extension also support the method. + - key: UseSharedDeviceKeys + type: + presence: optional + default: false + content: If 'true', the system uses the same signing and encryption keys for all + users. + - key: AccountDisplayName + type: + presence: optional + content: The display name for the account in notifications and authentication + requests. + - key: LoginFrequency + type: + presence: optional + range: + min: 3600 + default: 64800 + content: The duration, in seconds, until the system requires a full login instead + of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 + (1 hour). + - key: EnableCreateUserAtLogin + type: + presence: optional + default: false + content: Enables creating new users at the login window with an 'AuthenticationMethod' + of either 'Password' or 'SmartCard'. Requires that 'UseSharedDeviceKeys' is + 'true'. + - key: EnableAuthorization + type: + presence: optional + default: false + content: Enables using identity provider accounts at authorization prompts. Requires + that 'UseSharedDeviceKeys' is 'true'. The system assigns groups using 'AdministratorGroups', + 'AdditionalGroups', or 'AuthorizationGroups'. + - key: TokenToUserMapping + type: + presence: optional + content: The attribute mapping to use when creating new users or for authorization. + subkeys: + - key: AccountName + type: + presence: optional + content: The claim name to use for the user's account name. + - key: FullName + type: + presence: optional + content: The claim name to use for the user's full name. + - key: NewUserAuthorizationMode + type: + presence: optional + rangelist: + - Standard + - Admin + - Groups + content: |- + The permission to apply to newly created accounts at login, which has the following values: + * 'Standard': The account is a standard user. + * 'Admin': The system adds the account to the local administrators group. + * 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. + - key: UserAuthorizationMode + type: + presence: optional + rangelist: + - Standard + - Admin + - Groups + content: |- + The permission to apply to an account each time the user authenticates, which has the following values: + * 'Standard': The account is a standard user. + * 'Admin': The system adds the account to the local administrators group. + * 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. + - key: AdministratorGroups + type: + presence: optional + content: The list of groups to use for administrator access. The system requests + membership during authentication. + subkeys: + - key: Group + type: + presence: optional + content: The group name. + - key: AdditionalGroups + type: + presence: optional + content: The list of created groups that don't have administrator access. + subkeys: + - key: Group + type: + presence: optional + content: The group name. + - key: AuthorizationGroups + type: + presence: optional + content: The pairing of Authorization Rights to group names. The system updates + the Authorization Right to use the group when used. + subkeys: + - key: Authorization Right + type: + presence: required + content: The Authorization Right to update. + - key: Group + type: + presence: required + content: The group to use for the Authorization Right. diff --git a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml index f629d6a..4e38b43 100644 --- a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml +++ b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml index c0410f4..30b5dd8 100644 --- a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml +++ b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.fileproviderd.yaml b/mdm/profiles/com.apple.fileproviderd.yaml index b884c02..476a887 100644 --- a/mdm/profiles/com.apple.fileproviderd.yaml +++ b/mdm/profiles/com.apple.fileproviderd.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '11.0' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml index d918216..afa97a3 100644 --- a/mdm/profiles/com.apple.finder.yaml +++ b/mdm/profiles/com.apple.finder.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -17,7 +18,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the Finder's burn support. + content: If 'true', the system disables the Finder's burn support. - key: InterfaceLevel supportedOS: macOS: @@ -27,44 +28,44 @@ payloadkeys: rangelist: - Simple - Full - content: If Finder should operate in Simple or Full mode. + content: Specifies whether Finder should operate in Simple or Full mode. - key: ProhibitConnectTo type: presence: optional default: false - content: If set to true, Connect to Server will be disabled. + content: If 'true', the system disables Connect to Server. - key: ProhibitEject type: presence: optional default: false - content: If set to true, Eject will be disabled. + content: If 'true', the system disables Eject. - key: ProhibitGoToFolder type: presence: optional default: false - content: If set to true, Go To Folder will be disabled. + content: If 'true', the system disables Go to Folder. - key: ShowExternalHardDrivesOnDesktop type: presence: optional default: true - content: If set to false, external hard drives will not appear on the desktop. + content: If 'false', external hard drives don't appear on the Desktop. - key: ShowHardDrivesOnDesktop type: presence: optional default: false - content: If set to false, internal hard drives will not appear on the desktop. + content: If 'false', internal hard drives don't appear on the Desktop. - key: ShowMountedServersOnDesktop type: presence: optional default: false - content: If set to false, mounted file servers will not appear on the desktop. + content: If 'false', mounted file servers don't appear on the Desktop. - key: ShowRemovableMediaOnDesktop type: presence: optional default: true - content: If set to false, removable media will not appear on the desktop. + content: If 'false', removable media items don't appear on the Desktop. - key: WarnOnEmptyTrash type: presence: optional default: true - content: If set to false, user will not be warned before emptying the trash. + content: If 'false', the user isn't warned before emptying the trash. diff --git a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml index b58c019..e28c166 100644 --- a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.firstethernet.managed.yaml b/mdm/profiles/com.apple.firstethernet.managed.yaml index 0d1bcd1..c9b2a9c 100644 --- a/mdm/profiles/com.apple.firstethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml index b9162e2..118fcb6 100644 --- a/mdm/profiles/com.apple.font.yaml +++ b/mdm/profiles/com.apple.font.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -13,6 +14,7 @@ payload: mode: allowed macOS: introduced: '10.9' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.gamed.yaml b/mdm/profiles/com.apple.gamed.yaml index a3f9d53..28c84a0 100644 --- a/mdm/profiles/com.apple.gamed.yaml +++ b/mdm/profiles/com.apple.gamed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.globalethernet.managed.yaml b/mdm/profiles/com.apple.globalethernet.managed.yaml index a97d3a2..d69c150 100644 --- a/mdm/profiles/com.apple.globalethernet.managed.yaml +++ b/mdm/profiles/com.apple.globalethernet.managed.yaml @@ -3,8 +3,20 @@ description: '' payload: payloadtype: com.apple.globalethernet.managed supportedOS: + iOS: + introduced: '17.0' + multiple: false + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed macOS: introduced: '10.13' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -12,10 +24,15 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: '17.0' + multiple: false + supervised: false + allowmanualinstall: true payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1X configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. + ProxyUsername, ProxyPassword, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.google-oauth.yaml b/mdm/profiles/com.apple.google-oauth.yaml index d4988d4..7e62555 100644 --- a/mdm/profiles/com.apple.google-oauth.yaml +++ b/mdm/profiles/com.apple.google-oauth.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '9.3' + multiple: true supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml index 666ecd5..72bcbfd 100644 --- a/mdm/profiles/com.apple.homescreenlayout.yaml +++ b/mdm/profiles/com.apple.homescreenlayout.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '9.3' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden tvOS: introduced: '11.0' + multiple: false supervised: true allowmanualinstall: true content: The payload defines a layout of apps, folders, & web clips for the Home diff --git a/mdm/profiles/com.apple.ironwood.support.yaml b/mdm/profiles/com.apple.ironwood.support.yaml index 26dd196..4e9ac2f 100644 --- a/mdm/profiles/com.apple.ironwood.support.yaml +++ b/mdm/profiles/com.apple.ironwood.support.yaml @@ -6,6 +6,7 @@ payload: macOS: introduced: '10.9' deprecated: '10.13' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -18,9 +19,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', suppresses profanity. + content: If 'false', suppresses profanity. Use 'forceAssistantProfanityFilter' in + Restrictions instead. - key: Ironwood Allowed type: presence: optional default: true - content: If 'false', disables dictation. + content: If 'false', disables dictation. Use 'allowDictation' in Restrictions instead. diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml index ad6a0f8..1440279 100644 --- a/mdm/profiles/com.apple.jabber.account.yaml +++ b/mdm/profiles/com.apple.jabber.account.yaml @@ -8,6 +8,7 @@ payload: introduced: '10.7' deprecated: '10.14' removed: '10.14' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.ldap.account.yaml b/mdm/profiles/com.apple.ldap.account.yaml index 8d87893..e59a044 100644 --- a/mdm/profiles/com.apple.ldap.account.yaml +++ b/mdm/profiles/com.apple.ldap.account.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -16,6 +17,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.loginitems.managed.yaml b/mdm/profiles/com.apple.loginitems.managed.yaml index 8de1d70..306ea2a 100644 --- a/mdm/profiles/com.apple.loginitems.managed.yaml +++ b/mdm/profiles/com.apple.loginitems.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.13' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -32,4 +33,4 @@ payloadkeys: type: presence: optional default: false - content: If true, hide this item in the Users & Groups login items list. + content: If 'true', hide this item in the Users & Groups login items list. diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml index 52f760c..df86b03 100644 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -144,7 +145,7 @@ payloadkeys: type: presence: optional default: false - content: If 'True', shows the Input Menu in the login window. + content: If 'true', shows the Input Menu in the login window. - key: DisableFDEAutoLogin supportedOS: macOS: @@ -152,4 +153,22 @@ payloadkeys: type: presence: optional default: false - content: If t'rue', disables the automatic login option when using FileVault. + content: If 'true', disables the automatic login option when using FileVault. +- key: AutologinUsername + supportedOS: + macOS: + introduced: '14.0' + allowmanualinstall: false + type: + presence: optional + content: The user short name to set up auto login. +- key: AutologinPassword + supportedOS: + macOS: + introduced: '14.0' + allowmanualinstall: false + type: + presence: optional + content: An optional user password to set up auto login. If this key doesn't exist + but a user name does exist, the system sets up auto login the next time the user + logs in to the client. diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml index d8d5d9d..9395f25 100644 --- a/mdm/profiles/com.apple.lom.yaml +++ b/mdm/profiles/com.apple.lom.yaml @@ -6,6 +6,7 @@ payload: supportedOS: macOS: introduced: '11.0' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml index ca6a94a..d5b2569 100644 --- a/mdm/profiles/com.apple.mail.managed.yaml +++ b/mdm/profiles/com.apple.mail.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false @@ -207,6 +209,8 @@ payloadkeys: supportedOS: iOS: introduced: '10.0' + macOS: + introduced: n/a type: presence: optional default: false @@ -231,6 +235,8 @@ payloadkeys: iOS: introduced: '8.0' deprecated: '10.0' + macOS: + introduced: n/a type: presence: optional default: false @@ -287,6 +293,8 @@ payloadkeys: supportedOS: iOS: introduced: '12.0' + macOS: + introduced: n/a type: presence: optional default: false diff --git a/mdm/profiles/com.apple.mcxMenuExtras.yaml b/mdm/profiles/com.apple.mcxMenuExtras.yaml index 70c3555..50c571c 100644 --- a/mdm/profiles/com.apple.mcxMenuExtras.yaml +++ b/mdm/profiles/com.apple.mcxMenuExtras.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.mcxloginscripts.yaml b/mdm/profiles/com.apple.mcxloginscripts.yaml index 0e96028..e93470b 100644 --- a/mdm/profiles/com.apple.mcxloginscripts.yaml +++ b/mdm/profiles/com.apple.mcxloginscripts.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.mcxprinting.yaml b/mdm/profiles/com.apple.mcxprinting.yaml index a83690e..e21029e 100644 --- a/mdm/profiles/com.apple.mcxprinting.yaml +++ b/mdm/profiles/com.apple.mcxprinting.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml index ac522f6..f23eea9 100644 --- a/mdm/profiles/com.apple.mdm.yaml +++ b/mdm/profiles/com.apple.mdm.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false @@ -24,8 +26,14 @@ payload: mode: allowed tvOS: introduced: '6.0' + multiple: false supervised: false allowmanualinstall: true + watchOS: + introduced: '10.0' + multiple: false + supervised: true + allowmanualinstall: false payloadkeys: - key: IdentityCertificateUUID title: Identity Certificate UUID @@ -105,48 +113,61 @@ payloadkeys: supportedOS: iOS: introduced: '13.1' + deprecated: '17.0' userenrollment: mode: required macOS: introduced: '10.15' + deprecated: '14.0' userenrollment: mode: required tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: The Managed Apple ID of the user. Available in iOS 13.1 and later, and - macOS 10.15 and later. This is only used with the profile-based BYOD enrollment - flow. + macOS 10.15 and later. This is only used with the profile-driven BYOD enrollment + flow, and must not be present in the BYOD and ADDE account-driven enrollment flows. + As of iOS 17 and macOS 14, profile-driven user enrollments are deprecated and + will be removed in a future release. - key: AssignedManagedAppleID title: Assigned Managed Apple ID supportedOS: iOS: introduced: '15.0' macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional - content: The Managed Apple ID pre-assigned to the authenticated user. This is only - used with the account-based BYOD enrollment flow. Available in iOS 15 and later. + content: The Managed Apple ID pre-assigned to the authenticated user. This is required + for the BYOD and ADDE account-driven enrollment flows, and must not be present + in other enrollment flows. Available in iOS 15 and macOS 14, and later. - key: EnrollmentMode title: Enrollment Mode supportedOS: iOS: introduced: '15.0' macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: - BYOD + - ADDE content: The enrollment mode the server indicates must be used when enrolling. This - must be present for account-based BYOD enrollments, but must not be present for - profile-based BYOD enrollments. Available in iOS 15 and later. + key must be present for BYOD and ADDE account-driven enrollments, and must not + be present in the profile-driven user enrollment flow. Available in iOS 15 and + macOS 14, and later. - key: ServerURLPinningCertificateUUIDs supportedOS: iOS: @@ -201,12 +222,14 @@ payloadkeys: content: |- A unique array of strings indicating server capabilities. If the server manages macOS devices or a Shared iPad, this field is mandatory and must contain the value 'com.apple.mdm.per-user-connections', which indicates that the server supports both device and user connections. Starting with macOS 11, it is also recommended that macOS device enrollment profiles contain the value 'com.apple.mdm.bootstraptoken' to ensure the Bootstrap Token is created and escrowed with the MDM server at enrollment time. + If the server supports the "GetToken" CheckIn message type, then this key must be present and must include "com.apple.mdm.token" as one of its values. subkeys: - key: ServerCapabilitiesItems type: rangelist: - com.apple.mdm.per-user-connections - com.apple.mdm.bootstraptoken + - com.apple.mdm.token - key: CheckOutWhenRemoved type: presence: optional @@ -221,6 +244,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- @@ -235,6 +260,8 @@ payloadkeys: introduced: '11.0' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index d8e16b9..33b2daa 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -13,6 +14,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -20,6 +22,11 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + watchOS: + introduced: '10.0' + multiple: true + supervised: false + allowmanualinstall: true payloadkeys: - key: allowSimple title: Allow Simple Value @@ -30,9 +37,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents use of a simple passcode. A simple passcode contains - repeated characters, or increasing or decreasing characters (such as '123' or - 'CBA'). + content: If 'false', the system prevents use of a simple passcode. A simple passcode + contains repeated characters, or increasing or decreasing characters, such as + '123' or 'CBA'. - key: forcePIN title: Require Passcode on Device supportedOS: @@ -42,7 +49,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces the user to enter a PIN. + content: If 'true', the system forces the user to enter a PIN. - key: maxFailedAttempts title: Maximum Number of Failed Attempts supportedOS: @@ -56,10 +63,11 @@ payloadkeys: max: 11 default: 11 content: The number of allowed failed attempts to enter the passcode at the device's - lock screen. After six failed attempts, a time delay is imposed before a passcode - can be entered again. The delay increases with each attempt. In macOS, set 'minutesUntilFailedLoginReset' - to define a delay before the next passcode can be entered. When this number is - exceeded in macOS, the device is locked; in iOS, the device is wiped. + lock screen. After six failed attempts, the system imposes a time delay before + a passcode can be entered again. The delay increases with each attempt. In macOS, + set 'minutesUntilFailedLoginReset' to define a delay before the next passcode + can be entered. When this number is exceeded in macOS, the system locks the device; + in iOS, the system wipes the device. - key: maxInactivity title: Auto-Lock supportedOS: @@ -71,12 +79,10 @@ payloadkeys: range: min: 0 max: 15 - content: The maximum number of minutes for which the device can be idle, without - being unlocked by the user, before it gets locked by the system. When this limit - is reached, the device is locked and the passcode must be entered. The user can - edit this setting, but the value cannot exceed the 'maxInactivity' value. In macOS, - this inactivity value is translated to screen-saver settings. The maximum value - for macOS is 60 minutes. + content: |- + The maximum number of minutes for which the device can be idle without the user unlocking it, before the system locks it. When this limit is reached, the system locks the device and the passcode is required to unlock it. The user can edit this setting, but the value can't exceed the 'maxInactivity' value. + In macOS, the system translates this inactivity value to screen-saver settings. The maximum value for macOS is '60'. + Setting this key removes the 'never' option in the Settings UI on user enrolled devices. - key: maxPINAgeInDays title: Maximum Passcode Age supportedOS: @@ -89,14 +95,16 @@ payloadkeys: min: 0 max: 730 content: The number of days for which the passcode can remain unchanged. After this - number of days, the user is forced to change the passcode before the device is - unlocked. + number of days, the system forces the user to change the passcode before it unlocks + the device. - key: minComplexChars title: Minimum Number of Complex Characters supportedOS: iOS: userenrollment: mode: ignored + watchOS: + introduced: n/a type: presence: optional range: @@ -104,8 +112,8 @@ payloadkeys: max: 4 default: 0 content: |- - The minimum number of complex characters that a passcode must contain. A complex character is a character other than a number or a letter, such as & % $ #. - This property is ignored for User Enrollments. + The minimum number of complex characters that a passcode needs to contain. A complex character is a character other than a number or a letter, such as '&', '%', '$', and '#'. + The system ignores this property for User Enrollments. - key: minLength title: Minimum Passcode Length supportedOS: @@ -118,18 +126,20 @@ payloadkeys: min: 0 max: 16 default: 0 - content: The minimum overall length of the passcode. This parameter is independent - of the also optional minComplexChars argument. + content: The minimum overall length of the passcode. This value is independent of + the value for 'minComplexChars'. - key: requireAlphanumeric title: Require Alphabetic Value supportedOS: iOS: userenrollment: mode: ignored + watchOS: + introduced: n/a type: presence: optional default: false - content: If 'true', requires alphabetic characters (abcd) instead of only numeric + content: If 'true', the system requires alphabetic characters instead of only numeric characters. - key: pinHistory title: Passcode History @@ -154,8 +164,9 @@ payloadkeys: presence: optional default: 0 content: The maximum grace period, in minutes, to unlock the phone without entering - a passcode. The default is 0, which is no grace period and requires a passcode - immediately. In macOS, this grace period value is translated to screen-saver settings. + a passcode. The default is '0', which is no grace period and requires a passcode + immediately. In macOS, the system translates this grace period value to screen-saver + settings. - key: minutesUntilFailedLoginReset supportedOS: iOS: @@ -164,10 +175,12 @@ payloadkeys: introduced: '10.10' userenrollment: mode: ignored + watchOS: + introduced: n/a type: presence: optional - content: The number of minutes before the login is reset after the maximum number - of unsuccessful login attempts is reached. This key requires setting 'maxFailedAttempts'. + content: The number of minutes before the system resets the login after the maximum + number of unsuccessful login attempts is reached. This key requires setting 'maxFailedAttempts'. Available in macOS 10.10 and later. - key: changeAtNextAuth supportedOS: @@ -177,10 +190,45 @@ payloadkeys: introduced: '10.13' userenrollment: mode: ignored + watchOS: + introduced: n/a type: presence: optional default: false - content: If 'true', causes a password reset to occur the next time the user tries - to authenticate. If this key is set in a device profile, the setting takes effect - for all users, and admin authentications may fail until the admin user password - is also reset. Available in macOS 10.13 and later. + content: If 'true', the system causes a password reset to occur the next time the + user tries to authenticate. If this key is set in a device profile, the setting + takes effect for all users, and admin authentications may fail until the admin + user password is also reset. Available in macOS 10.13 and later. +- key: customRegex + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + watchOS: + introduced: n/a + type: + presence: optional + content: |- + Specifies a regular expression, and its description, used to enforce password compliance. Use the simpler passcode restrictions whenever possible, and rely on regular expression matching only when necessary. Mistakes in regular expressions can lead to frustrating user experiences, such as unsatisfiable passcode policies, or policy descriptions that don't match the enforced policy. + Available in macOS 14 and later. + subkeys: + - key: passwordContentRegex + type: + presence: required + content: A regular expression string that they system matches against the password + to determine whether it complies with a policy. The regular expression uses + the ICU syntax (). + The string must not exceed 2048 characters in length. + - key: passwordContentDescription + type: + presence: optional + content: Contains a dictionary of keys for supported OS language IDs (for example, + “en-US”), and whose values represent a localized description of the policy enforced + by the regular expression. Use the special 'default' key can for languages that + aren't contained in the dictionary. + subkeys: + - key: ANY + type: + presence: optional + content: A localized description. diff --git a/mdm/profiles/com.apple.networkusagerules.yaml b/mdm/profiles/com.apple.networkusagerules.yaml index 36af07c..c36e045 100644 --- a/mdm/profiles/com.apple.networkusagerules.yaml +++ b/mdm/profiles/com.apple.networkusagerules.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '9.0' + multiple: false supervised: false allowmanualinstall: false sharedipad: diff --git a/mdm/profiles/com.apple.notificationsettings.yaml b/mdm/profiles/com.apple.notificationsettings.yaml index 8b1106b..38355d1 100644 --- a/mdm/profiles/com.apple.notificationsettings.yaml +++ b/mdm/profiles/com.apple.notificationsettings.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '9.3' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.osxserver.account.yaml b/mdm/profiles/com.apple.osxserver.account.yaml index b655656..aedf6ca 100644 --- a/mdm/profiles/com.apple.osxserver.account.yaml +++ b/mdm/profiles/com.apple.osxserver.account.yaml @@ -7,6 +7,7 @@ payload: introduced: '9.0' deprecated: '12.0' removed: '12.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.preference.security.yaml b/mdm/profiles/com.apple.preference.security.yaml index 3562fe1..4b81426 100644 --- a/mdm/profiles/com.apple.preference.security.yaml +++ b/mdm/profiles/com.apple.preference.security.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.10' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.preferences.users.yaml b/mdm/profiles/com.apple.preferences.users.yaml index 8d8bbcf..cab2f3f 100644 --- a/mdm/profiles/com.apple.preferences.users.yaml +++ b/mdm/profiles/com.apple.preferences.users.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.12' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.profileRemovalPassword.yaml b/mdm/profiles/com.apple.profileRemovalPassword.yaml index 23d0c66..c4509b7 100644 --- a/mdm/profiles/com.apple.profileRemovalPassword.yaml +++ b/mdm/profiles/com.apple.profileRemovalPassword.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -13,6 +14,7 @@ payload: mode: forbidden macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -22,6 +24,7 @@ payload: mode: forbidden tvOS: introduced: '9.0' + multiple: false supervised: true allowmanualinstall: true payloadkeys: diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml index aad59c3..b9b498a 100644 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '6.0' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,9 +16,9 @@ payload: mode: forbidden macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: false - supervised: true requiresdep: false userapprovedmdm: false allowmanualinstall: true @@ -25,6 +26,7 @@ payload: mode: forbidden tvOS: introduced: '6.0' + multiple: false supervised: true allowmanualinstall: true content: PEM-encoded cer @@ -44,30 +46,37 @@ payloadkeys: title: Proxy Server type: subtype: - presence: required - content: The proxy server's network address. + presence: optional + content: The proxy server's network address. This is required if the ProxyType is + set to Manual, and is ignored if the ProxyType is set to Automatic. - key: ProxyServerPort title: Proxy Server Port type: - presence: required - content: The proxy server's port number. + presence: optional + content: The proxy server's port number. This is required if the ProxyType is set + to Manual, and is ignored if the ProxyType is set to Automatic. - key: ProxyUsername title: Proxy Username type: presence: optional - content: The user name used to authenticate to the proxy server. + content: The user name used to authenticate to the proxy server. This setting is + only used if the ProxyType is set to Manual, and is ignored if the ProxyType is + set to Automatic. - key: ProxyPassword title: Proxy Password type: presence: optional - content: The password used to authenticate to the proxy server. + content: The password used to authenticate to the proxy server. This setting is + only used if the ProxyType is set to Manual, and is ignored if the ProxyType is + set to Automatic. - key: ProxyPACURL title: Proxy PAC URL type: presence: optional content: The URL of the PAC file that defines the proxy configuration. Starting in iOS 13 and macOS 10.15, only URLs that begin with 'http://' or 'https://' are - allowed. + allowed. This setting is only used if the ProxyType is set to Automatic, and is + ignored if the ProxyType is set to Manual. - key: ProxyPACFallbackAllowed title: Proxy PAC Fallback Allowed supportedOS: diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml new file mode 100644 index 0000000..9ad718d --- /dev/null +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -0,0 +1,115 @@ +title: Relay +description: Use this section to define settings for network relays. +payload: + payloadtype: com.apple.relay.managed + supportedOS: + iOS: + introduced: '17.0' + multiple: true + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '14.0' + multiple: true + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: Relays + title: Relays + type: + presence: required + content: An array of dictionaries that describes one or more relay servers that + can be chained together. + subkeys: + - key: Relay + title: Network Relay + type: + subkeys: + - key: HTTP3RelayURL + title: HTTP/3 Relay URL + type: + presence: optional + content: The URL or URI template (such as defined in RFC 9298) of a relay server + that is reachable using HTTP/3 and supports proxying TCP and UDP using the + CONNECT method. Each relay must have at least one URL, for either HTTP/3 or + HTTP/2, and may support both. + - key: HTTP2RelayURL + title: HTTP/2 Relay URL + type: + presence: optional + content: The URL or URI template (such as defined in RFC 9298) of a relay server + that is reachable using HTTP/2 and supports proxying TCP and UDP using the + CONNECT method. Each relay must have at least one URL, for either HTTP/3 or + HTTP/2, and may support both. + - key: AdditionalHTTPHeaderFields + title: Additional HTTP Header Fields + type: + presence: optional + content: A dictionary of custom HTTP header keys and values to add to each request + to the relay. The dictionary key name represents the HTTP header field name + to use, and the dictionary value is the string to use as the HTTP header field + value. + subkeys: + - key: ANY + type: + presence: required + content: The HTTP header field value for the corresponding header field name. + - key: PayloadCertificateUUID + title: Certificate UUID + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: UUID pointing to an identity certificate payload. This identity will + be used to authenticate the user to the relay server. + - key: RawPublicKeys + title: Raw Public Keys + type: + presence: optional + content: An array of raw public keys used to authenticate the server during + a TLS handshake. The server must use one of the keys in the handshake in order + to authenticate. If no keys are specified, default TLS trust evaluation is + used. + subkeys: + - key: RawPublicKeysElement + title: Raw Public Key Element + type: +- key: MatchDomains + title: Match Domains + type: + presence: optional + content: A list of domain strings used to determine which connection should be routed + through the servers contained in Relays. Any connection that matches the domain + exactly or is a subdomain of the listed domain will use the relay servers, unless + they match an excluded domain. If no domains are listed, traffic to all domains, + except those matching an excluded domain, will be routed to the relay servers. + subkeys: + - key: MatchDomainsElement + title: Match Domains Element + type: +- key: ExcludedDomains + title: Excluded Domains + type: + presence: optional + content: A list of domain strings that should not be routed through the servers + contained in Relays. Any connection that matches the domain exactly or is a subdomain + of the listed domain will not use the relay server. + subkeys: + - key: ExcludedDomainsElement + title: Excluded Domains Element + type: +- key: RelayUUID + type: + presence: optional + content: A globally-unique identifier for this relay configuration. This UUID is + used to route managed apps through the servers contained in Relays. diff --git a/mdm/profiles/com.apple.screensaver.user.yaml b/mdm/profiles/com.apple.screensaver.user.yaml index 9c8e567..ee1f2fd 100644 --- a/mdm/profiles/com.apple.screensaver.user.yaml +++ b/mdm/profiles/com.apple.screensaver.user.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.11' + multiple: false devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml index db6efde..e1b22cd 100644 --- a/mdm/profiles/com.apple.screensaver.yaml +++ b/mdm/profiles/com.apple.screensaver.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.11' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml index b129fd2..5b3f80b 100644 --- a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.secondethernet.managed.yaml b/mdm/profiles/com.apple.secondethernet.managed.yaml index 32ee7ea..784310b 100644 --- a/mdm/profiles/com.apple.secondethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml index 3e37fe4..7c72416 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.13' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml index d16d160..cd80dc6 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml @@ -6,6 +6,7 @@ payload: macOS: introduced: '10.9' deprecated: '10.13' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index 794fd41..c41f91d 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '16.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -16,6 +17,7 @@ payload: mode: allowed macOS: introduced: '13.1' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -25,6 +27,12 @@ payload: mode: allowed tvOS: introduced: '16.0' + multiple: true + supervised: false + allowmanualinstall: true + watchOS: + introduced: '9.0' + multiple: true supervised: false allowmanualinstall: true content: Use this payload to specify settings that allow the device to request a @@ -33,8 +41,8 @@ payload: it requests an attestation of the key and device properties. Then it communicates with the ACME server to authenticate the device, provide the attestation, and request a matching certificate based upon the ClientIdentifier, Subject, SubjectAltName, - KeyUsage, and ExtendedKeyUsage fields. The ACME server issues a certificate and - the device installs it in the keychain. Other payloads can reference the resulting + UsageFlags, and ExtendedKeyUsage fields. The ACME server issues a certificate + and the device installs it in the keychain. Other payloads can reference the resulting client identity by the payload's PayloadUUID. payloadkeys: - key: DirectoryURL @@ -77,7 +85,7 @@ payloadkeys: If 'false', the private key isn't bound to the device. If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384. - On macOS, this key is required but must have a value of 'false'. + This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'. - key: Subject title: Subject type: @@ -88,16 +96,16 @@ payloadkeys: [ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - - key: SCEPSubjectArrayInnerArray - title: Array Inside SCEP Subject Array + - key: ACMESubjectArrayInnerArray + title: Array Inside ACME Subject Array type: subkeys: - - key: SCEPSubjectArrayPair + - key: ACMESubjectArrayPair title: Subject Array Pair type: subkeys: - - key: SCEPSubjectArrayPairItem - title: SCEP Subject Array Pair Item + - key: ACMESubjectArrayPairItem + title: ACME Subject Array Pair Item type: repetition: min: 2 @@ -137,7 +145,7 @@ payloadkeys: content: |- This value is a bit field. * Bit '0x01' indicates digital signature. - * Bit '0x10' indicates key agreement. + * Bit '0x04' indicates encryption. The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. - key: ExtendedKeyUsage title: Extended Key Usage @@ -152,19 +160,24 @@ payloadkeys: presence: optional - key: Attest title: Attest + supportedOS: + watchOS: + introduced: '10.0' type: presence: optional default: false content: |- If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', 'HardwareBound' must also be 'true'. - On macOS, if this key is present, it must have a value of 'false'. + This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. If this key is specified for older macOS versions or other Mac devices, it must have a value of 'false'. - key: KeyIsExtractable supportedOS: iOS: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true @@ -177,6 +190,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false diff --git a/mdm/profiles/com.apple.security.certificatepreference.yaml b/mdm/profiles/com.apple.security.certificatepreference.yaml index 8c7d5f7..2dbb030 100644 --- a/mdm/profiles/com.apple.security.certificatepreference.yaml +++ b/mdm/profiles/com.apple.security.certificatepreference.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.12' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.security.certificaterevocation.yaml b/mdm/profiles/com.apple.security.certificaterevocation.yaml index 3ae5129..6aaffd0 100644 --- a/mdm/profiles/com.apple.security.certificaterevocation.yaml +++ b/mdm/profiles/com.apple.security.certificaterevocation.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '14.2' + multiple: true supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.security.certificatetransparency.yaml b/mdm/profiles/com.apple.security.certificatetransparency.yaml index 51d621a..f3991b0 100644 --- a/mdm/profiles/com.apple.security.certificatetransparency.yaml +++ b/mdm/profiles/com.apple.security.certificatetransparency.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: 12.1.1 + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: 10.14.2 + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: 12.1.1 + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: 5.1.1 + multiple: true supervised: false allowmanualinstall: true content: Policies that affect system-wide certificate transparency enforcement. diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index 9c519b6..d51e3aa 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.12' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -77,6 +78,7 @@ payloadkeys: introduced: '12.3' type: presence: optional + default: true content: |- If 'true', allows built-in software to receive incoming connections. Available in macOS 12.3 and later. @@ -86,6 +88,7 @@ payloadkeys: introduced: '12.3' type: presence: optional + default: true content: |- If 'true', allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later. diff --git a/mdm/profiles/com.apple.security.identitypreference.yaml b/mdm/profiles/com.apple.security.identitypreference.yaml index 77b0d2e..59337ea 100644 --- a/mdm/profiles/com.apple.security.identitypreference.yaml +++ b/mdm/profiles/com.apple.security.identitypreference.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.12' + multiple: true devicechannel: false userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml index 54fedba..913f692 100644 --- a/mdm/profiles/com.apple.security.pem.yaml +++ b/mdm/profiles/com.apple.security.pem.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: '3.0' + multiple: true allowmanualinstall: true content: PEM-encoded certificate without private key. May contain root certificates. payloadkeys: diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml index 727c4ae..7f4e64f 100644 --- a/mdm/profiles/com.apple.security.pkcs1.yaml +++ b/mdm/profiles/com.apple.security.pkcs1.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: '3.0' + multiple: true allowmanualinstall: true content: DER-encoded certificate without private key. May contain root certificates. payloadkeys: diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index 7843204..aeffc29 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: '3.0' + multiple: true allowmanualinstall: true content: Password-protected identity certificate. Only one certificate may be included. payloadkeys: @@ -77,4 +81,4 @@ payloadkeys: type: presence: optional default: true - content: If false, does not tag the private key data as extractable in the keychain. + content: If 'false', does not tag the private key data as extractable in the keychain. diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml index aed88f1..e979518 100644 --- a/mdm/profiles/com.apple.security.root.yaml +++ b/mdm/profiles/com.apple.security.root.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.0' + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: '3.0' + multiple: true allowmanualinstall: true content: Alias for com.apple.security.pkcs1. payloadkeys: diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml index 0bb1025..f33739c 100644 --- a/mdm/profiles/com.apple.security.scep.yaml +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -16,6 +17,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -25,6 +27,12 @@ payload: mode: allowed tvOS: introduced: '6.0' + multiple: true + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.0' + multiple: true supervised: false allowmanualinstall: true payloadkeys: @@ -106,10 +114,8 @@ payloadkeys: default: 0 content: |- A bitmask indicating the use of the key. - * 1: Signing * 4: Encryption - Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. - key: CAFingerprint title: Fingerprint diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml index 3ed7bf6..493b4ad 100644 --- a/mdm/profiles/com.apple.security.smartcard.yaml +++ b/mdm/profiles/com.apple.security.smartcard.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.12.4 + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml index 1fc67e6..f4a4195 100644 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -6,6 +6,7 @@ payload: supportedOS: macOS: introduced: '13.0' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml index 1980e04..9a229d1 100644 --- a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml +++ b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml @@ -6,6 +6,7 @@ payload: supportedOS: iOS: introduced: '9.3' + multiple: false supervised: true allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.sso.yaml b/mdm/profiles/com.apple.sso.yaml index 198c10b..5311e94 100644 --- a/mdm/profiles/com.apple.sso.yaml +++ b/mdm/profiles/com.apple.sso.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: false supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.subscribedcalendar.account.yaml b/mdm/profiles/com.apple.subscribedcalendar.account.yaml index ff2cc7a..463fe9f 100644 --- a/mdm/profiles/com.apple.subscribedcalendar.account.yaml +++ b/mdm/profiles/com.apple.subscribedcalendar.account.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml index ee5ea66..e4cb3e4 100644 --- a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml +++ b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.13.2 + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml index fe76aee..8632829 100644 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.system.logging.yaml b/mdm/profiles/com.apple.system.logging.yaml index fdcb13e..c1e235c 100644 --- a/mdm/profiles/com.apple.system.logging.yaml +++ b/mdm/profiles/com.apple.system.logging.yaml @@ -3,8 +3,11 @@ description: '' payload: payloadtype: com.apple.system.logging supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.12' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -12,6 +15,10 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Processes supportedOS: diff --git a/mdm/profiles/com.apple.systemmigration.yaml b/mdm/profiles/com.apple.systemmigration.yaml index 5ea24bc..ee1aa6e 100644 --- a/mdm/profiles/com.apple.systemmigration.yaml +++ b/mdm/profiles/com.apple.systemmigration.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: 10.12.4 + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml index e67dcda..f046ccb 100644 --- a/mdm/profiles/com.apple.systempolicy.control.yaml +++ b/mdm/profiles/com.apple.systempolicy.control.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.8' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.systempolicy.managed.yaml b/mdm/profiles/com.apple.systempolicy.managed.yaml index 5b8f48c..5d8b51c 100644 --- a/mdm/profiles/com.apple.systempolicy.managed.yaml +++ b/mdm/profiles/com.apple.systempolicy.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.8' + multiple: true devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.systempolicy.rule.yaml b/mdm/profiles/com.apple.systempolicy.rule.yaml index ced246e..0afa13a 100644 --- a/mdm/profiles/com.apple.systempolicy.rule.yaml +++ b/mdm/profiles/com.apple.systempolicy.rule.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.8' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml index d0bad09..f3174fc 100644 --- a/mdm/profiles/com.apple.systempreferences.yaml +++ b/mdm/profiles/com.apple.systempreferences.yaml @@ -5,6 +5,7 @@ payload: macOS: introduced: '10.7' deprecated: '13.0' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -85,12 +86,11 @@ payloadkeys: introduced: '13.0' type: presence: optional - content: System settings extension IDs for items that will be disabled. All other - items will be enabled. When DisabledSystemSettings is specified, DisabledPreferencePanes - and EnabledPreferencePanes are ignored. Note that a given System Settings extension + content: The list of disabled System Settings extensions. All other items will be + enabled. When DisabledSystemSettings is specified, DisabledPreferencePanes and + EnabledPreferencePanes are ignored. Note that a given System Settings extension may supply more than one section in System Settings; disabling such an extension will disable all sections it supplies. - devpubs-override: The list of disabled System Settings extensions. subkeys: - key: SettingsExtensions type: diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml index 08443c1..1d1251e 100644 --- a/mdm/profiles/com.apple.systemuiserver.yaml +++ b/mdm/profiles/com.apple.systemuiserver.yaml @@ -6,6 +6,7 @@ payload: macOS: introduced: '10.7' deprecated: '11.0' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml index 98d8839..8df0f77 100644 --- a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.thirdethernet.managed.yaml b/mdm/profiles/com.apple.thirdethernet.managed.yaml index 0ed8917..b5d64c9 100644 --- a/mdm/profiles/com.apple.thirdethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdethernet.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.tvremote.yaml b/mdm/profiles/com.apple.tvremote.yaml index 949a76c..7785de4 100644 --- a/mdm/profiles/com.apple.tvremote.yaml +++ b/mdm/profiles/com.apple.tvremote.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '11.3' + multiple: false supervised: true allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden tvOS: introduced: '11.3' + multiple: false supervised: true allowmanualinstall: true payloadkeys: @@ -49,7 +51,7 @@ payloadkeys: type: presence: required content: The MAC address of an Apple TV device that this iOS device is permitted - to control. Use the format xx:xx:xx:xx:xx:xx. The field isn't case sensitive. + to control. Use the format 'xx:xx:xx:xx:xx:xx'. The field isn't case sensitive. - key: TVDeviceName supportedOS: iOS: diff --git a/mdm/profiles/com.apple.universalaccess.yaml b/mdm/profiles/com.apple.universalaccess.yaml index 11e9798..96aa209 100644 --- a/mdm/profiles/com.apple.universalaccess.yaml +++ b/mdm/profiles/com.apple.universalaccess.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: true requiresdep: false @@ -46,8 +47,11 @@ payloadkeys: default: false content: If 'true', enables 'Smooth images' in the Zoom options. - key: contrast - type: + type: presence: optional + range: + min: 0.0 + max: 1.0 content: The contrast value in the Display options. - key: flashScreen type: diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index a63a783..9701bbb 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.9' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -22,14 +24,24 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + watchOS: + introduced: '10.0' + multiple: true + supervised: true + allowmanualinstall: false content: The fields in this payload are the same as the VPN payload, with the addition - of the fields shown below. + of the fields shown below. On watchOS, only the IKEv2 VPN type is supported. payloadkeys: - key: VPNUUID type: presence: required content: A globally unique identifier for this VPN configuration. - key: SafariDomains + supportedOS: + watchOS: + introduced: n/a type: presence: optional content: An array with entries that must each specify a domain that triggers the @@ -46,6 +58,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + watchOS: + introduced: n/a type: presence: optional content: |- @@ -63,6 +77,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + watchOS: + introduced: n/a type: presence: optional content: |- @@ -80,6 +96,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + watchOS: + introduced: n/a type: presence: optional content: |- @@ -123,11 +141,8 @@ payloadkeys: presence: required content: A domain. - key: OnDemandMatchAppEnabled - type: + type: presence: optional - rangelist: - - 0 - - 1 content: If 'true', automatically connects the VPN when associated apps for this per-app VPN service initiate network communication. Otherwise, the user must initiate the connection manually before those apps can initiate network communication. @@ -139,6 +154,8 @@ payloadkeys: introduced: '13.0' macOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: |- diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml index 586699a..3356508 100644 --- a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml +++ b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.9' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index 369de54..03a6656 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: forbidden macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -22,6 +24,11 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: '17.0' + multiple: true + supervised: false + allowmanualinstall: true payloadkeys: - key: VPNType title: Type @@ -30,70 +37,64 @@ payloadkeys: rangelist: - VPN - L2TP - - PPTP - IPSec - IKEv2 - AlwaysOn + - TransparentProxy content: |- The type of the VPN, which defines which settings are appropriate for this VPN payload. - If the type is 'VPN', then 'VPNSubType' is required. + If the type is 'VPN' or 'TransparentProxy', then the system requires a value for 'VPNSubType'. + 'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled. - key: VPNSubType title: VPN Subtype type: presence: optional - content: "An identifier for a vendor-specified configuration dictionary if 'VPNType'\ - \ is 'VPN'.\nIf 'VPNType' is 'VPN', this field is required. If the configuration\ - \ is targeted at a VPN solution that uses a VPN plugin, then this field contains\ - \ the bundle identifier of the plugin. Here are some examples:\n* CiscoAnyConnect:\ - \ \L'com.cisco.anyconnect.applevpn.plugin'\n* JuniperSSL: 'net.juniper.sslvpn'\n\ - * F5SSL: 'com.f5.F5-Edge-Client.vpnplugin'\n* SonicWALLMobileConnect: \L'com.sonicwall.SonicWALL-SSLVPN.vpnplugin\ - \ '\n* ''ArubaVIA: \L'com.arubanetworks.aruba-via.vpnplugin'\nIf the configuration\ - \ is targeted at a VPN solution that uses a network extension provider, then this\ - \ field contains the bundle identifier of the app that contains the provider.\ - \ Contact the VPN solution vendor for the value of the identifier.\nIf 'VPNType'\ - \ is 'IKEv2', then the 'VPNSubType' field is optional and is reserved for future\ - \ use. If it is specified, it must contain the empty string." + content: |- + An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'. + If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier. + If 'VPNType' is 'IKEv2', then the 'VPNSubType' field is optional and reserved for future use. If it's specified, it needs to contain an empty string. + Not available in watchOS. - key: UserDefinedName title: User Defined Name type: presence: required - content: The description of the VPN connection displayed on the device. + content: The description of the VPN connection that the system displays on the device. + Not available in watchOS. - key: VendorConfig title: Vendor Configuration Dictionary type: presence: optional - content: The vendor-specific configuration dictionary. This dictionary is read only - if 'VPNSubType' is specified. + content: The vendor-specific configuration dictionary, which the system reads only + when 'VPNSubType' has a value. Not available in watchOS. subkeys: - key: Realm title: Realm type: presence: optional - content: The Kerberos realm name. This value should be properly capitalized. + content: The Kerberos realm name. This value needs to be properly capitalized. + Not available in watchOS. - key: Role title: Role type: presence: optional - content: |- - The role to select when connecting to the server. - This key is valid only for Juniper SSL. + content: The role to select when connecting to the server. This key is valid only + for Juniper SSL. Not available in watchOS. - key: Group title: Group type: presence: optional - content: |- - The group to connect to on the head end. - This key is valid only for Cisco AnyConnect + content: The group to connect to on the head end. This key is only valid for Cisco + AnyConnect. Not available in watchOS. - key: LoginGroupOrDomain title: Login Group or Domain type: presence: optional - content: The login group or domain. + content: The login group or domain. Not available in watchOS. - key: VPN title: VPN type: presence: optional - content: A dictionary used to specify a VPN when 'VPNType' is set to 'VPN', 'IPSec', + content: The dictionary to use to specify a VPN when 'VPNType' is 'VPN', 'IPSec', or 'IKEv2'. subkeys: - key: AuthenticationMethod @@ -121,7 +122,7 @@ payloadkeys: title: Provider Bundle Identifier type: presence: optional - content: The bundle identifier for the VPN provider. + content: The bundle identifier for the VPN provider. Not available in watchOS. - key: ProviderDesignatedRequirement title: Provider Designated Requirement supportedOS: @@ -131,8 +132,8 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: If the VPN provider is implemented as a system extension, then this field - is required. + content: If the VPN provider is implemented as a system extension, this field + is required. Not available in watchOS. - key: DisconnectOnIdle title: Enable Disconnect on Idle type: @@ -141,12 +142,13 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', disconnects after an on-demand connection idles. + content: If '1', disconnects after an on-demand connection idles. - key: DisconnectOnIdleTimer title: Disconnect on Idle time type: presence: optional - content: The length of time to wait before disconnecting an on-demand connection + content: The length of time to wait, in seconds, before disconnecting an on-demand + connection. In watchOS, the maximum allowed value is '15'. - key: ProviderType type: presence: optional @@ -154,9 +156,9 @@ payloadkeys: - packet-tunnel - app-proxy default: packet-tunnel - content: The type of VPN service. If it is 'app-proxy', the service will tunnel - traffic at the application level. If it is 'packet-tunnel', the service will - tunnel traffic at the IP layer. + content: The type of VPN service. If the value is 'app-proxy', the service tunnels + traffic at the app level. If the value is 'packet-tunnel', the service tunnels + traffic at the IP layer. Not available in watchOS. - key: IncludeAllNetworks title: Include All Networks supportedOS: @@ -164,6 +166,8 @@ payloadkeys: introduced: '14.0' macOS: introduced: '10.15' + tvOS: + introduced: n/a type: presence: optional rangelist: @@ -191,9 +195,9 @@ payloadkeys: - 1 default: 0 content: |- - If 'true', all the VPN's non-default routes take precedence over any locally defined routes. - If 'IncludeAllNetworks' is 'true', the value of 'EnforceRoutes' is ignored. - Available in iOS 14.2 and later, and macOS 11 and later. + If '1', all the VPN's non-default routes take precedence over any locally defined routes. + If 'IncludeAllNetworks' is '1', the system ignores the value of 'EnforceRoutes'. + Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS. - key: ExcludeLocalNetworks title: Exclude Local Networks supportedOS: @@ -201,13 +205,15 @@ payloadkeys: introduced: '14.2' macOS: introduced: '10.15' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 - content: If 'true' and 'IncludeAllNetworks' is 'true', routes all local network - traffic outside the VPN. + content: If '1' and 'IncludeAllNetworks' is '1', routes all local network traffic + outside the VPN. Not available in watchOS. - key: ExcludeCellularServices title: Exclude Cellular Services supportedOS: @@ -215,17 +221,20 @@ payloadkeys: introduced: '16.4' macOS: introduced: '13.3' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 default: 1 - content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic - for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) - is excluded from the tunnel. Note that some cellular carriers route cellular - services traffic directly to the carrier network, bypassing the internet. Such - cellular services traffic is always excluded from the tunnel. + content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes internet-routable + network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual + Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular + services traffic directly to the carrier network, bypassing the internet. Such + cellular services traffic is always excluded from the tunnel. Not available + in watchOS. - key: ExcludeAPNs title: Exclude APNs supportedOS: @@ -233,14 +242,17 @@ payloadkeys: introduced: '16.4' macOS: introduced: '13.3' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 default: 1 - content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple - Push Notification service (APNs) is excluded from the tunnel. + content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes the + network traffic for the Apple Push Notification service (APNs) from the tunnel. + Not available in watchOS. - key: OnDemandEnabled title: Enable VPN On Demand type: @@ -249,7 +261,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', enables VPN On Demand. + content: If '1', enables VPN On Demand. - key: OnDemandUserOverrideDisabled title: Prevent users from toggling VPN On Demand supportedOS: @@ -263,17 +275,15 @@ payloadkeys: - 0 - 1 default: 0 - content: |- - If 'true', the Connect On Demand toggle in Settings is disabled for this configuration. - Available in iOS 14 and later. + content: If '1', the Connect On Demand toggle in Settings is disabled for this + configuration. Available in iOS 14 and later. Not available in watchOS. - key: OnDemandMatchDomainsAlways title: On Demand Match Domains Always type: presence: optional - content: |- - A list of domain names. The associated domain names are treated as though they were associated with the 'OnDemandMatchDomainsOnRetry' key. - - This behavior can be overridden by 'OnDemandRules'. + content: A list of domain names. The system treats associated domain names as + though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior + can be overridden by 'OnDemandRules'. Not available in watchOS. subkeytype: MatchDomainAlwaysElement subkeys: &id001 - key: MatchDomainAlwaysElement @@ -284,9 +294,9 @@ payloadkeys: type: presence: optional content: |- - A list of domain names. If the host name ends with one of these domain names, the VPN isn't started automatically. This is used to exclude a subdomain within an included domain. - + A list of domain names. If the host name ends with one of these domain names, the system doesn't start the VPN automatically. The system uses this value to exclude a subdomain within an included domain. In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries. + Not available in watchOS. subkeytype: MatchDomainNeverElement subkeys: &id002 - key: MatchDomainNeverElement @@ -297,9 +307,9 @@ payloadkeys: type: presence: optional content: |- - A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the VPN is started automatically. - + A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the system starts the VPN automatically. In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries. + Not available in watchOS. subkeytype: MatchDomainOnRetryElement subkeys: &id003 - key: MatchDomainOnRetryElement @@ -330,22 +340,25 @@ payloadkeys: The action to take if this dictionary matches the current network. Possible values are: * 'Allow': Deprecated. Allow VPN On Demand to connect if triggered. * 'Connect': Unconditionally initiate a VPN connection on the next network attempt. - * 'Disconnect': Tear down the VPN connection and do not reconnect on demand as long as this dictionary matches. + * 'Disconnect': Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. * 'EvaluateConnection': Evaluate the ActionParameters array for each connection attempt. - * 'Ignore:' Leave any existing VPN connection up, but do not reconnect on demand as long as this dictionary matches. + * 'Ignore:' Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. + Only the 'Disconnect' action is available on watchOS 10 and later. - key: ActionParameters title: Action Parameters type: presence: optional - content: |- - A dictionary that provides rules similar to the 'OnDemandRules' dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. - The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which 'EvaluateConnection' is the 'Action' value. + content: A dictionary that provides rules similar to the 'OnDemandRules' dictionary, + but evaluated on each connection instead of when the network changes. This + value is only for use with dictionaries in which the 'Action' value is 'EvaluateConnection'. + The system evaluates these dictionaries in order and the first dictionary + that matches determines the behavior. Not available in watchOS. subkeys: - key: Domains title: Domains type: presence: required - content: The domains for which this evaluation applies. + content: The domains to apply this evaluation. subkeys: - key: DomainsElement title: Domains Element @@ -359,15 +372,15 @@ payloadkeys: - NeverConnect content: |- Defines the VPN behavior for the specified domains. Allowed values are: - * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. - key: RequiredDNSServers title: Required DNS Servers type: presence: optional content: |- - An array of IP addresses of DNS servers to be used for resolving the specified domains. These servers need not be part of the device's current network configuration. If these DNS servers are not reachable, a VPN connection is established in response. These DNS servers should be either internal DNS servers or trusted external DNS servers. - Note: This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. subkeys: - key: RequiredDNSServersElement title: Required DNS Servers Element @@ -377,15 +390,15 @@ payloadkeys: type: presence: optional content: |- - An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response. - Note: This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. - key: DNSDomainMatch title: DNS Domain Match type: presence: optional content: |- An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. - A wildcard '*' prefix is supported. For example, '*.example.com' matches against either 'mydomain.example.com' or 'yourdomain.example.com'. + The system supports a wildcard ('*') prefix. For example, '*.example.com' matches against either 'mydomain.example.com' or 'yourdomain.example.com'. subkeys: - key: DNSDomainMatchElement title: DNS Domain Match Element @@ -396,7 +409,7 @@ payloadkeys: presence: optional content: |- An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. - Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet. + The system supports matching with a single wildcard. For example, '17.*' matches any DNS server in the '17.0.0.0/8' subnet. subkeys: - key: DNSServerAddressMatchElement title: DNS Server Address Match Element @@ -416,7 +429,7 @@ payloadkeys: type: presence: optional content: |- - An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. + An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID. subkeys: - key: SSIDMatchElement @@ -426,13 +439,17 @@ payloadkeys: title: URL String Probe type: presence: optional - content: A URL to probe. If this URL is successfully fetched (returning a - 200 HTTP status code) without redirection, this rule matches. + content: A URL to probe. This rule matches when this URL is successfully fetched + (returns a '200' HTTP status code) without redirection. Not available in + watchOS. - key: IPv4 title: IPv4 Settings + supportedOS: + tvOS: + introduced: n/a type: presence: optional - content: The dictionary containing IPv4 settings. + content: The dictionary that contains IPv4 settings. Not available in watchOS. subkeys: - key: OverridePrimary title: Override Primary Connection @@ -442,24 +459,28 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', all network traffic is sent over VPN. + content: If '1', the system sends all network traffic over VPN. - key: PPP title: PPP + supportedOS: + tvOS: + introduced: n/a type: presence: optional - content: The dictionary used when 'VPNType' is set to 'L2TP' or 'PTPP'. + content: The dictionary to use when 'VPNType' is 'L2TP' or 'PTPP'. Not available + in watchOS. subkeys: - key: AuthName title: Account Username type: presence: optional - content: The VPN account user name. This key is used for L2TP and PPTP networks. + content: The VPN account user name. This key is for use with L2TP and PPTP networks. - key: AuthPassword title: Account Password type: presence: optional - content: If TokenCard is 'false', use this password for authentication. This key - is used for L2TP and PPTP networks. + content: If 'TokenCard' is '1', use this password for authentication. This keyis + for use with L2TP and PPTP networks. - key: TokenCard title: Use Token Card type: @@ -468,25 +489,21 @@ payloadkeys: - 0 - 1 default: 0 - content: |- - If 'true', uses a token card such as an RSA SecurID card for connecting. - - This key is used for L2TP networks. + content: If '1', uses a token card such as an RSA SecurID card for connecting. + This key is for use with L2TP networks. - key: CommRemoteAddress title: Remote Address type: presence: optional - content: |- - The IP address or host name of VPN server. - - This key is used for L2TP and PPTP networks. + content: The IP address or host name of VPN server. This key is for use with L2TP + and PPTP networks. - key: AuthEAPPlugins title: EAP Plugins type: presence: optional - content: An array of authentication plugins. If RSA SecurID is being used, this - array should only have one value, 'EAP-RSA'. This key is used for L2TP and PPTP - networks. + content: 'An array of authentication plugins. For use of RSA SecurID, this array + should only have one value: ''EAP-RSA''. This key is for use with L2TP and PPTP + networks.' subkeys: - key: EAPPluginElement title: EAP Plugin @@ -502,8 +519,8 @@ payloadkeys: title: Protocol type: presence: optional - content: An array of authentication protocols. If RSA SecurID is being used, this - array should have one value, 'EAP'. This key is used for L2TP and PPTP networks. + content: An array of authentication protocols. For use of RSA SecurID, this array + should have one value, 'EAP'. This key is for use with L2TP and PPTP networks. subkeys: - key: AuthProtocolElement title: Auth Protocol @@ -520,7 +537,7 @@ payloadkeys: rangelist: - 0 - 1 - content: If 'true' and 'CCPEnabled' is also 'true', enables CCPMPPE128 encryption. + content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE128 encryption. - key: CCPMPPE128Enabled title: Enable CCPMPPE128 type: @@ -528,7 +545,7 @@ payloadkeys: rangelist: - 0 - 1 - content: If 'true' and 'CCPEnabled' is also 'true', enables CCPMPPE40 encryption. + content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE40 encryption. - key: CCPEnabled title: Enable CCP type: @@ -536,10 +553,8 @@ payloadkeys: rangelist: - 0 - 1 - content: |- - If 'true', enables encryption on the connection. - - This key is used for PPTP networks. + content: If '1', enables encryption on the connection. This key is for use with + PPTP networks. - key: DisconnectOnIdle title: Enable Disconnect on Idle type: @@ -548,7 +563,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', disconnects after an on demand connection idles. + content: If '1', disconnects after an on demand connection idles. - key: DisconnectOnIdleTimer title: Disconnect on Idle time type: @@ -556,9 +571,12 @@ payloadkeys: content: The length of time to wait before disconnecting an on demand connection - key: IPSec title: IPSec Settings + supportedOS: + tvOS: + introduced: n/a type: presence: optional - content: The dictionary containing IPSec settings. + content: The dictionary that contains IPSec settings. Not available in watchOS. subkeys: - key: RemoteAddress title: Remote Address @@ -573,7 +591,7 @@ payloadkeys: - SharedSecret - Certificate default: SharedSecret - content: The authentication method. Used for L2TP and Cisco IPSec. + content: The authentication method for L2TP and Cisco IPSec. - key: XAuthName title: Username type: @@ -583,7 +601,7 @@ payloadkeys: title: Password type: presence: optional - content: The VPN account password used for Cisco IPSec. + content: The VPN account password for Cisco IPSec. - key: XAuthEnabled title: XAUTH Enabled type: @@ -591,22 +609,21 @@ payloadkeys: rangelist: - 0 - 1 - content: If 'true', enables Xauth for Cisco IPSec VPNs. + content: If '1', enables Xauth for Cisco IPSec VPNs. - key: XAuthPasswordEncryption title: XAUTH Password Encryption type: presence: optional rangelist: - Prompt - content: String value is either “Prompt” or not present. + content: A string that either has the value “Prompt” or isn't present. - key: LocalIdentifier title: Local Identifier type: presence: optional content: |- - The name of the group. If Hybrid Authentication is used, the string must end with 'hybrid'. - - Present only if 'AuthenticationMethod' is 'SharedSecret' and using for Cisco IPSec. + The name of the group. For hybrid authentication, the string needs to end with 'hybrid'. + Present only for Cisco IPSec if 'AuthenticationMethod' is 'SharedSecret'. - key: LocalIdentifierType title: Local Identifier Type type: @@ -614,26 +631,22 @@ payloadkeys: rangelist: - KeyID default: KeyID - content: |- - Present only if 'AuthenticationMethod' is 'SharedSecret'. The value is 'KeyID'. - - This type is used for L2TP and Cisco IPSec VPNs. + content: Present only if 'AuthenticationMethod' is 'SharedSecret'. The value is + 'KeyID'. The system uses this value for L2TP and Cisco IPSec VPNs. - key: SharedSecret title: Shared Secret type: presence: optional content: |- The shared secret for this VPN account. - - Only use this with L2TP and Cisco IPSec VPNs and if the 'AuthenticationMethod' key is set to 'SharedSecret'. + Only use this with L2TP and Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'SharedSecret'. - key: PayloadCertificateUUID title: Certificate UUID type: presence: optional content: |- The UUID of the certificate payload within the same profile to use for the account credentials. - - Only use this with Cisco IPSec VPNs and if the 'AuthenticationMethod' key is set to 'Certificate'. + Only use this with Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'Certificate'. - key: PromptForVPNPIN title: Prompt for PIN type: @@ -648,7 +661,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', disconnect after an on-demand connection idles. + content: If '1', disconnect after an on-demand connection idles. - key: DisconnectOnIdleTimer title: Disconnect on Idle time type: @@ -662,13 +675,13 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', bring the VPN connection up on demand. + content: If '1', enables bringing the VPN connection up on demand. - key: OnDemandMatchDomainsAlways title: On Demand Match Domains Always type: presence: optional content: Deprecated. A list of domain names. In iOS 7 and later, if this key is - present, the associated domain names are treated as though they were associated + present, the system treats associated domain names as though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden by 'OnDemandRules'. subkeytype: MatchDomainAlwaysElement @@ -686,9 +699,9 @@ payloadkeys: title: On Demand Match Domains On Retry type: presence: optional - content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated - (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' - dictionaries. + content: Deprecated. A list of domain names. In iOS 7 and later, this field is + deprecated (but still supported) in favor of 'EvaluateConnection' actions in + the 'OnDemandRules' dictionaries. subkeytype: MatchDomainOnRetryElement subkeys: *id003 - key: OnDemandRules @@ -700,9 +713,12 @@ payloadkeys: subkeys: *id004 - key: IKEv2 title: IKEv2 + supportedOS: + watchOS: + introduced: '10.0' type: presence: optional - content: The dictionary used when 'VPNType' is set to 'IKEv2.' + content: The dictionary to use when 'VPNType' is 'IKEv2'. subkeys: - key: RemoteAddress title: RemoteAddress @@ -729,8 +745,7 @@ payloadkeys: - Certificate content: |- The type of authentication method for the VPN. - - To enable EAP-only authentication, the authentication method should be set to 'None' and the 'ExtendedAuthEnabled' key should be set to 1. If this key is set to 'None' and the 'ExtendedAuthEnabled' key isn't set, the authentication configuration defaults to 'SharedSecret'. + To enable EAP-only authentication, set this to 'None' and 'ExtendedAuthEnabled' to '1'. If this is 'None' and the 'ExtendedAuthEnabled' key isn't set, the authentication configuration defaults to 'SharedSecret'. - key: CertificateType title: Certificate Type type: @@ -740,19 +755,19 @@ payloadkeys: - ECDSA256 - ECDSA384 - ECDSA521 - - Ed25519 + - RSA-PSS default: RSA - content: This key specifies the type of 'PayloadCertificateUUID' used for IKEv2 - machine authentication. If this key is included, the 'ServerCertificateIssuerCommonName' - key is required. + content: The type of 'PayloadCertificateUUID' to use for IKEv2 machine authentication. + If this key is included, the system requires a value for 'ServerCertificateIssuerCommonName'. - key: PayloadCertificateUUID title: PayloadCertificateUUID type: presence: optional content: The UUID of the certificate payload within the same profile to use as the account credential. If the value of 'AuthenticationMethod' is 'Certificate', - this certificate is sent out for IKEv2 machine authentication. If extended authentication - (EAP) is used, it is sent out for EAP-TLS authentication. + the system sends this certificate out for IKEv2 machine authentication. If extended + authentication (EAP) is used, the system sends this certificate out for EAP-TLS + authentication. - key: SharedSecret title: SharedSecret type: @@ -767,17 +782,17 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', enables EAP-only authentication. + content: If '1', enables EAP-only authentication. - key: AuthName title: AuthName type: presence: optional - content: The user name used for authentication. + content: The user name to use for authentication. - key: AuthPassword title: AuthPassword type: presence: optional - content: The password used for authentication. + content: The password to use for authentication. - key: OnDemandEnabled title: Enable VPN On Demand type: @@ -786,7 +801,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 1, VPN is brought up on demand. + content: If '1', enables VPN up on demand. - key: OnDemandUserOverrideDisabled title: Prevent users from toggling VPN On Demand supportedOS: @@ -800,16 +815,20 @@ payloadkeys: - 0 - 1 default: 0 - content: If 1, the Connect On Demand toggle in Settings is disabled for this configuration. + content: If '1', the system disables the Connect On Demand toggle in Settings + for this configuration. - key: OnDemandRules title: On Demand Rules type: presence: optional - content: Determines when and how an OnDemand VPN should be used. + content: A list of rules that determine when and how to use an OnDemand VPN. subkeytype: OnDemandRulesElement subkeys: *id004 - key: DeadPeerDetectionRate title: Dead Peer Detection Rate + supportedOS: + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -824,6 +843,7 @@ payloadkeys: * 'Low': Send keepalive every 30 minutes. * 'Medium': Send keepalive every 10 minutes. * 'High': Send keepalive every 1 minute. + Not available in watchOS. - key: ServerCertificateIssuerCommonName title: ServerCertificateIssuerCommonName type: @@ -831,14 +851,14 @@ payloadkeys: content: Common Name of the server certificate issuer. If set, this field causes IKE to send a certificate request based on this certificate issuer to the server. This key is required if the 'CertificateType' key is included and the 'ExtendedAuthEnabled' - key is set to 1. + key is '1'. - key: ServerCertificateCommonName title: ServerCertificateCommonName type: presence: optional - content: The common name of the server certificate. This name is used to validate - the certificate sent by the IKE server. If not set, the remote identifier is - used to validate the certificate. + content: The common name of the server certificate. The system uses this name + to validate the certificate sent by the IKE server. If not set, the system uses + the remote identifier to validate the certificate. - key: TLSMinimumVersion title: TLS Minimum Version supportedOS: @@ -853,7 +873,7 @@ payloadkeys: - '1.1' - '1.2' default: '1.0' - content: The minimum TLS version to be used with EAP-TLS authentication. + content: The minimum TLS version to use with EAP-TLS authentication. - key: TLSMaximumVersion title: TLS Maximum Version supportedOS: @@ -868,7 +888,7 @@ payloadkeys: - '1.1' - '1.2' default: '1.2' - content: The maximum TLS version to be used with EAP-TLS authentication. + content: The maximum TLS version to use with EAP-TLS authentication. - key: UseConfigurationAttributeInternalIPSubnet title: Use IPv4 / IPv6 Internal Subnet Attributes supportedOS: @@ -880,8 +900,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', negotiations should use IKEv2 Configuration Attribute INTERNAL_IP4_SUBNET - and INTERNAL_IP6_SUBNET. + content: If '1', negotiations should use IKEv2 Configuration Attribute 'INTERNAL_IP4_SUBNET' + and 'INTERNAL_IP6_SUBNET'. - key: DisableMOBIKE title: Disable Mobility and Multihoming supportedOS: @@ -893,7 +913,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', disables MOBIKE. + content: If '1', the system disables MOBIKE. - key: DisableRedirect title: Disable Redirect supportedOS: @@ -905,8 +925,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', disables IKEv2 redirect. If not set, the IKEv2 connection - is redirected if a redirect request is received from the server. + content: If '1', the system disables IKEv2 redirect. If not set, the system redirects + an IKEv2 connection when it receives a redirect request from the server. - key: NATKeepAliveOffloadEnable title: NAT Keep Alive Offload Enable supportedOS: @@ -919,9 +939,8 @@ payloadkeys: - 1 default: 1 content: |- - If 'true', enables NAT Keepalive offload for Always On VPN IKEv2 connections. Keepalive packets are sent by the device to maintain NAT mappings for IKEv2 connections that have a NAT on the path. Keepalive packets are sent at regular interval when the device is awake. If 'NATKeepAliveOffloadEnable' is set to 'true', Keepalive packets will be offloaded to hardware while the device is asleep. - - NAT Keepalive offload has an impact on the battery life since extra workload is added during sleep. The default interval for the Keepalive offload packets is 20 seconds over WiFi and 110 seconds over Cellular interface. The default NAT Keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network is known to have larger NAT mapping timeouts, larger Keepalive intervals may be safely used to minimize battery impact. The Keepalive interval can be modified by setting the `NATKeepAliveInterval` key. + If '1', enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If 'NATKeepAliveOffloadEnable' is '1', the system offloads keepalive packets to hardware while the device is asleep. + NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over WiFi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the 'NATKeepAliveInterval' key. - key: NATKeepAliveInterval title: NAT Keepalive Interval supportedOS: @@ -931,9 +950,9 @@ payloadkeys: presence: optional default: 20 content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This - value controls the interval over which Keepalive offload packets are sent by - the device. The minimum value is 20 seconds. If no key is specified, the default - is 20 seconds over Wi-Fi and 110 seconds over a cellular interface. + value controls the interval that the device sends keepalive offload packets. + The minimum value is 20 seconds. If no key is specified, the default is 20 seconds + over Wi-Fi and 110 seconds over a cellular interface. - key: EnablePFS title: Enable perfect forward secrecy supportedOS: @@ -945,7 +964,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. + content: If '1', enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. - key: EnableCertificateRevocationCheck title: Enable certificate revocation check supportedOS: @@ -957,9 +976,9 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', performs a certificate revocation check for IKEv2 connections. - This is a best-effort revocation check; server response timeouts won't cause - it to fail. + content: If '1', the system performs a certificate revocation check for IKEv2 + connections. This is a best-effort revocation check and server response timeouts + won't cause it to fail. - key: EnableFallback title: Enable fallback supportedOS: @@ -967,6 +986,8 @@ payloadkeys: introduced: '13.0' macOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -974,10 +995,11 @@ payloadkeys: - 1 default: 0 content: |- - If true, enables a tunnel over cellular data to carry traffic that is eligible for WiFi Assist and also requires VPN. + If '1', the system enables a tunnel over cellular data to carry traffic that's eligible for WiFi Assist and also requires VPN. Enabling fallback requires that the server support multiple tunnels for a single user. + This field is available in iOS 13 and later, and tvOS 17 and later. Not available in watchOS. - key: MTU - title: Maximum Tranmission Unit + title: Maximum Transmission Unit supportedOS: iOS: introduced: '14.0' @@ -989,9 +1011,9 @@ payloadkeys: min: 1280 max: 1400 default: 1280 - content: |- - The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that will be sent over the IKEv2 VPN interface. - Available in iOS 14 and later, and macOS 11 and later. + content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes + of each packet that the system sends over the IKEv2 VPN interface. Available + in iOS 14 and later, and macOS 11 and later. - key: IncludeAllNetworks title: Include All Networks supportedOS: @@ -999,6 +1021,8 @@ payloadkeys: introduced: '14.0' macOS: introduced: '10.15' + tvOS: + introduced: n/a type: presence: optional rangelist: @@ -1006,11 +1030,10 @@ payloadkeys: - 1 default: 0 content: |- - If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. - + If '1', then the system routes all network traffic through the VPN, with some controllable exclusions, such as 'ExcludeLocalNetworks', 'ExcludeCellularServices', and 'ExcludeAPNs' properties. The system always excludes the following traffic from the tunnel: * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. * Traffic necessary for connecting to captive networks. - * Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + * Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the 'ExcludeCellularServices' field for more information. * Network communication with a companion device such as a watchOS device. - key: EnforceRoutes title: Enforce Routes @@ -1025,9 +1048,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If 1, then all the VPN's non-default routes will take precedence over - any locally-defined routes. If IncludeAllNetworks is 1, the value of EnforceRoutes - is ignored. + content: If '1', all the VPN's non-default routes take precedence over any locally-defined + routes. If 'IncludeAllNetworks' is '1', the system ignores 'EnforceRoutes'. - key: ExcludeLocalNetworks title: Exclude Local Networks supportedOS: @@ -1035,14 +1057,16 @@ payloadkeys: introduced: '14.2' macOS: introduced: '10.15' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 - content: If 1 and either IncludeAllNetworks or EnforceRoutes are 1, then local - network traffic will be routed outside of the VPN. The default for this value - is 0 on macOS and 1 on iOS. + content: If '1' and either 'IncludeAllNetworks' or 'EnforceRoutes' are '1', then + the system routes local network traffic outside of the VPN. The default for + this value is '0' on macOS and '1' on iOS. - key: ExcludeCellularServices title: Exclude Cellular Services supportedOS: @@ -1050,16 +1074,18 @@ payloadkeys: introduced: '16.4' macOS: introduced: '13.3' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 default: 1 - content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic - for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) - is excluded from the tunnel. Note that some cellular carriers route cellular - services traffic directly to the carrier network, bypassing the internet. Such + content: If '1' and 'IncludeAllNetworks' is '1', the system excludes internet-routable + network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual + Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular + services traffic directly to the carrier network, bypassing the internet. Such cellular services traffic is always excluded from the tunnel. - key: ExcludeAPNs title: Exclude APNs @@ -1068,14 +1094,16 @@ payloadkeys: introduced: '16.4' macOS: introduced: '13.3' + tvOS: + introduced: n/a type: presence: optional rangelist: - 0 - 1 default: 1 - content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple - Push Notification service (APNs) is excluded from the tunnel. + content: If '1' and 'IncludeAllNetworks' is '1', the system excludes network traffic + for the Apple Push Notification service (APNs) from the tunnel. - key: IKESecurityAssociationParameters title: IKESecurityAssociationParameters type: @@ -1127,9 +1155,10 @@ payloadkeys: - 20 - 21 - 31 + - 32 default: 14 content: The Diffie-Hellman group. For AlwaysOn VPN, minimum allowed Diffie - Hellman Group is 14 in iOS 14.2 and later. + Hellman Group is '14' in iOS 14.2 and later. - key: LifeTimeInMinutes title: LifeTimeInMinutes type: @@ -1148,10 +1177,54 @@ payloadkeys: subkeys: *id005 - key: DNS title: DNS + supportedOS: + watchOS: + introduced: '10.0' type: presence: optional - content: A dictionary used for all VPN types. + content: A dictionary to use for all VPN types. subkeys: + - key: DNSProtocol + title: DNS Protocol + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: required + rangelist: + - Cleartext + - HTTPS + - TLS + content: The transport protocol to communicate with the DNS server. + - key: ServerURL + title: Server URL + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, + which needs to use the 'https://' scheme. The system uses the hostname or address + in the URL to validate the server certificate. If 'ServerAddresses' isn't specified, + the system uses the hostname or address in the URL to determine the server addresses. + This key is required if the 'DNSProtocol' is 'HTTPS'. + - key: ServerName + title: Server Name + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: The hostname of a DNS-over-TLS server to validate the server certificate, + as defined in RFC 7858. If 'ServerAddresses' isn't specified, the system uses + the hostname to determine the server addresses. This key is required if the + 'DNSProtocol' is 'TLS'. - key: ServerAddresses title: DNS Server Addresses supportedOS: @@ -1201,11 +1274,9 @@ payloadkeys: type: presence: optional content: |- - The list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in 'ServerAddresses'. This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel's DNS resolver. Hosts not in one of the domains in this list are resolved using the system's default resolver. - + The list of domain strings used to determine which DNS queries use the DNS resolver settings in 'ServerAddresses'. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. If 'SupplementalMatchDomains' contains the empty string it becomes the default domain. - - Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in 'ServerAddresses' become the default resolver and the 'SupplementalMatchDomains' list is ignored. + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in 'ServerAddresses' become the default resolver and the system ignores the 'SupplementalMatchDomains' list. subkeys: &id006 - key: SupplementalMatchDomainsElement title: Supplemental Match Domains Element @@ -1223,13 +1294,28 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'false', append the domains in the 'SupplementalMatchDomains' list - to the resolver's list of search domains. + content: If '0', append the domains in the 'SupplementalMatchDomains' list to + the resolver's list of search domains. + - key: PayloadCertificateUUID + title: DNS Certificate UUID + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: That UUID that points to an identity certificate payload. The system + uses this identity to authenticate the user to the DNS resolver. - key: Proxies title: Proxies + supportedOS: + watchOS: + introduced: '10.0' type: presence: optional - content: The dictionary used to configure 'Proxies' for use with 'VPN'. + content: The dictionary to use to configure 'Proxies' for use with 'VPN'. subkeys: - key: ProxyAutoConfigEnable title: Proxy AutoConfig Enable @@ -1268,7 +1354,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', enables proxy for HTTP traffic. + content: If '1', enables proxy for HTTP traffic. - key: HTTPProxy title: HTTP Proxy type: @@ -1323,9 +1409,11 @@ payloadkeys: introduced: '8.0' macOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional - content: The dictionary used when 'VPNType' is set to 'AlwaysOn'. + content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in watchOS. subkeys: - key: UIToggleEnabled title: UI Toggle Enabled @@ -1335,7 +1423,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', allows the user to disable the VPN configuration. + content: If '1', allows the user to disable the VPN configuration. - key: TunnelConfigurations title: TunnelConfigurations type: @@ -1352,7 +1440,7 @@ payloadkeys: presence: required rangelist: - IKEv2 - content: The type of connection, which must be 'IKEv2'. + content: The type of connection, which needs to be 'IKEv2'. - key: Interfaces title: Interfaces type: @@ -1383,7 +1471,7 @@ payloadkeys: - VoiceMail - AirPrint - CellularServices - content: The name of a service which is exempt from Always On VPN. 'CellularServices' + content: The name of a service that's exempt from Always On VPN. 'CellularServices' is available in iOS 11.3 and later; it exempts 'VoLTE', 'IMS' and 'MMS'. WiFiCalling is exempted in iOS 13.4 and later. - key: Action @@ -1401,8 +1489,8 @@ payloadkeys: introduced: '13.6' type: presence: optional - content: An array that contains an arbitrary number of applications whose connections - will occur outside the VPN. + content: An array that contains an arbitrary number of apps whose connections + occur outside the VPN. subkeys: - key: ApplicationExceptionElement title: A ApplicationException Element @@ -1417,8 +1505,8 @@ payloadkeys: title: LimitToProtocols type: presence: optional - content: Limit the exception to only the specified list of protocol(s). Only - 'UDP' is supported. + content: Limit the exception to only the specified list of protocols, with + support for 'UDP' only. subkeys: - key: LimitToProtocolElement title: LimitToProtocol Element @@ -1433,7 +1521,7 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', allows traffic from Captive Web Sheet outside the VPN tunnel. + content: If '1', allows traffic from Captive Web Sheet outside the VPN tunnel. - key: AllowAllCaptiveNetworkPlugins title: Allow All Captive Network Plugins type: @@ -1442,8 +1530,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', allows traffic from all captive networking apps outside the - VPN tunnel to perform captive network handling. + content: If '1', allows traffic from all captive networking apps outside the VPN + tunnel to perform captive network handling. - key: AllowedCaptiveNetworkPlugins title: AllowedCaptiveNetworkPlugins type: @@ -1460,5 +1548,29 @@ payloadkeys: title: Bundle Identifier type: presence: required - content: The bundle identifier for the app that is allowed on the captive - network. + content: The bundle identifier for the app that's allowed on the captive network. +- key: TransparentProxy + title: TransparentProxy + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + tvOS: + introduced: n/a + type: + presence: optional + content: The dictionary to use when 'VPNType' is 'TransparentProxy'. The keys in + this dictionary are the same as the keys in the 'VPN' dictionary with the addition + of the fields shown in the VPN.TransparentProxy dictionary. Not available in watchOS. + subkeys: + - key: Order + title: Order + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + type: + presence: optional + content: A positive integer. diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml index 40496c4..e92e0df 100644 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: false userchannel: true requiresdep: false @@ -46,8 +48,7 @@ payloadkeys: type: subtype: presence: required - content: The URL that the web clip should open when clicked. If the URL doesn't - begin with 'HTTP' or 'HTTPS', it doesn't work. + content: The URL that the web clip should open when clicked. - key: Icon title: Icon type: @@ -83,6 +84,7 @@ payloadkeys: content: |- If 'true', a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. This key has no effect when 'FullScreen' is 'false'. + Available in iOS 14 and later. - key: TargetApplicationBundleIdentifier title: Target Application Bundle Identifier supportedOS: @@ -92,6 +94,6 @@ payloadkeys: introduced: n/a type: presence: optional - content: The application bundle identifier that specifies the application which - opens the URL. To use this property, the profile must be installed through an - MDM. + content: |- + The application bundle identifier that specifies the application which opens the URL. To use this property, the profile must be installed through an MDM. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index 6ee325e..ea4a507 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '7.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.15' + multiple: true devicechannel: true userchannel: false requiresdep: false @@ -22,9 +24,9 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden - content: As of iOS 16.0, this can be installed on Device Enrollments and User Enrollments - if ContentFilterUUID is specified. Previously it could only be installed on supervised - devices. + content: As of iOS 16.0, this can be installed on unsupervised devices and user + enrollments if ContentFilterUUID is specified. Previously it could only be installed + on supervised devices. payloadkeys: - key: FilterType title: FilterType @@ -297,4 +299,5 @@ payloadkeys: presence: optional content: A globally-unique identifier for this content filter configuration. Managed apps with the same 'ContentFilterUUID' in their app attributes have their network - traffic processed by the content filter. + traffic processed by the content filter. This key must be present for unsupervised + devices and user enrollments. diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index d8a779d..eff08c9 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -5,6 +5,7 @@ payload: supportedOS: iOS: introduced: '4.0' + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -15,6 +16,7 @@ payload: mode: allowed macOS: introduced: '10.7' + multiple: true devicechannel: true userchannel: true requiresdep: false @@ -24,10 +26,12 @@ payload: mode: allowed tvOS: introduced: '5.1' + multiple: true supervised: false allowmanualinstall: true watchOS: introduced: '3.2' + multiple: true allowmanualinstall: true payloadkeys: - key: AutoJoin @@ -152,23 +156,15 @@ payloadkeys: presence: optional content: The user's password. If you don't specify a value, the system prompts the user during login. - - key: OneTimePassword - supportedOS: - iOS: - introduced: '8.0' - type: - presence: optional - default: false - content: If 'true', the user receives a prompt for a password each time they connect - to the network. - key: PayloadCertificateAnchorUUID title: Certificate Anchor UUID type: presence: optional - content: An array of the UUID of a certificate payload to trust for authentication. - Use this key to prevent the device from asking the user whether to trust the - listed certificates. Dynamic trust (the certificate dialogue) is in a disabled - state if you specify this property without also enabling 'TLSAllowTrustExceptions'. + content: An array of the UUID of a certificate payloads in the same profile to + trust for authentication. Use this key to prevent the device from asking the + user whether to trust the listed certificates. Dynamic trust (the certificate + dialogue) is in a disabled state if you specify this property without also enabling + 'TLSAllowTrustExceptions'. subkeys: - key: CertificateAnchorUUID title: Individual Certificate Anchor UUID @@ -192,7 +188,7 @@ payloadkeys: presence: optional content: |- The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it. - If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. + If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'. subkeys: - key: TLSTrustedServerName @@ -246,6 +242,7 @@ payloadkeys: - '1.0' - '1.1' - '1.2' + - '1.3' default: '1.0' content: The minimum TLS version for EAP authentication. - key: TLSMaximumVersion @@ -262,6 +259,7 @@ payloadkeys: - '1.0' - '1.1' - '1.2' + - '1.3' default: '1.2' content: The maximum TLS version for EAP authentication. - key: OuterIdentity @@ -287,7 +285,7 @@ payloadkeys: content: |- If 'true', allows PAC provisioning. - This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there is no other way to provision a PAC. + This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there's no other way to provision a PAC. - key: EAPFASTProvisionPACAnonymously title: Provision PAC Anonymously type: @@ -321,9 +319,16 @@ payloadkeys: default: false content: |- If 'true', the system mode connection tries to use the Open Directory credentials. - If using this property, you can't use 'SystemModeCredentialsSource'. + If using this property, you can't use 'SystemModeCredentialsSource'. - key: OneTimeUserPassword title: Per-Connection Password + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: '10.8' + tvOS: + introduced: '7.0' type: presence: optional default: false @@ -465,7 +470,7 @@ payloadkeys: iOS: introduced: '14.5' macOS: - introduced: n/a + introduced: '14.0' type: presence: optional content: An array of app bundle identifiers that defines the allow list for L2 @@ -481,6 +486,8 @@ payloadkeys: supportedOS: iOS: deprecated: '14.5' + macOS: + deprecated: '14.0' type: presence: optional content: Use 'QoSMarkingAllowListAppIdentifiers' instead. @@ -628,5 +635,6 @@ payloadkeys: default: false content: |- If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. + If 'false', then the system enables MAC address randomization. This value is only locked when the profile is installed by MDM. If the profile is manually installed, the value is set but the user can change it. Available in iOS 14 and later, and watchOS 7 and later. diff --git a/mdm/profiles/com.apple.xsan.preferences.yaml b/mdm/profiles/com.apple.xsan.preferences.yaml index 83cb559..8ce3b63 100644 --- a/mdm/profiles/com.apple.xsan.preferences.yaml +++ b/mdm/profiles/com.apple.xsan.preferences.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.11' + multiple: true devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml index 5ae7759..065a8db 100644 --- a/mdm/profiles/com.apple.xsan.yaml +++ b/mdm/profiles/com.apple.xsan.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.10' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/mdm/profiles/loginwindow.yaml b/mdm/profiles/loginwindow.yaml index 51da148..27fb1e0 100644 --- a/mdm/profiles/loginwindow.yaml +++ b/mdm/profiles/loginwindow.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + multiple: false devicechannel: true userchannel: false requiresdep: false diff --git a/other/machineinfo.yaml b/other/machineinfo.yaml index d0d03ee..8eeccda 100644 --- a/other/machineinfo.yaml +++ b/other/machineinfo.yaml @@ -10,6 +10,8 @@ payload: introduced: '10.9' tvOS: introduced: '10.2' + watchOS: + introduced: '10.0' payloadkeys: - key: UDID title: UDID @@ -47,10 +49,46 @@ payloadkeys: presence: required content: The device's product type, e.g. iPhone5,1. - key: VERSION - title: OS Version + title: Build Version type: presence: required - content: The OS version installed on the device, e.g. 7A182. + content: The build version installed on the device, e.g. 7A182. +- key: OS_VERSION + title: OS Version + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + presence: required + content: The OS version installed on the device, e.g. 17.0. +- key: SUPPLEMENTAL_BUILD_VERSION + title: Supplemental Build Version + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + presence: optional + content: The device's operating system supplemental build version (if available). +- key: SUPPLEMENTAL_OS_VERSION_EXTRA + title: Supplemental OS Version Extra + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + type: + presence: optional + content: The device's operating system supplemental OS version extra (if available). - key: IMEI title: IMEI supportedOS: @@ -86,3 +124,31 @@ payloadkeys: type: presence: optional content: The user's currently-selected language, e.g. en. +- key: MDM_CAN_REQUEST_SOFTWARE_UPDATE + title: MDM Can Request Software Update + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If set to "true", indicates that the device can be triggered by the server + to do a required software update. +- key: PAIRING_TOKEN + title: Watch Enrollment Pairing Token + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: The pairing token to validate when a watch is enrolling. diff --git a/other/manifesturl.yaml b/other/manifesturl.yaml index 756bb86..26560aa 100644 --- a/other/manifesturl.yaml +++ b/other/manifesturl.yaml @@ -16,6 +16,8 @@ payload: mode: allowed tvOS: introduced: '10.2' + watchOS: + introduced: '10.0' payloadkeys: - key: items title: The manifest items @@ -91,6 +93,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + watchOS: + introduced: n/a type: presence: optional default: false @@ -130,6 +134,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + watchOS: + introduced: n/a type: presence: optional content: removed @@ -152,6 +158,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + watchOS: + introduced: n/a type: presence: optional content: Removed diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 99c65e1..bbc0826 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -12,6 +12,8 @@ payload: tvOS: introduced: '10.2' always-skippable: true + watchOS: + introduced: n/a payloadkeys: - key: Accessibility title: Skip Accessibility pane @@ -25,8 +27,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Accessibility pane, only if the Mac is connected to Ethernet - and the cloud config is downloaded. Availability: macOS 11+.' + content: The key to skip the Accessibility pane, when creating additional users. + This key is available in macOS 11 and later. - key: Android title: Prevents migration from Android device supportedOS: @@ -38,8 +40,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'If the Restore pane is not skipped, removes the Move from Android option - in the Restore pane on iOS. Availability: iOS 9+.' + content: If the Restore pane isn't skipped, this is the key to remove the Move from + Android option in the Restore pane on iOS. This key is available in iOS 9 and + later. - key: Appearance title: Skip Choose your Look setup pane supportedOS: @@ -51,12 +54,14 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Choose Your Look screen. Availability: iOS 13+ and macOS 10.14+.' + content: The key to skip the Choose Your Look screen. This key is available in iOS + 13+ and macOS 10.14 and later. - key: AppleID title: Disables signing in to Apple ID and iCloud type: presence: optional - content: 'Skips Apple ID setup. Availability: iOS 7.0+, tvOS 10.2+, and macOS 10.9+.' + content: The key to skip Apple ID setup. This key is available in iOS 7.0+, tvOS + 10.2 and later, and macOS 10.9 and later. - key: AppStore title: Skips AppStore information pane supportedOS: @@ -68,7 +73,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the App Store pane. Availability: iOS 14.3+ and macOS 11.1+.' + content: The key to skip the App Store pane. This key is available in iOS 14.3 and + later, and macOS 11.1 and later. - key: Biometric title: Skips Touch ID/Face ID setup supportedOS: @@ -80,7 +86,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips biometric setup. Availability: iOS 8.1+ and macOS 10.12.4+.' + content: The key to skip biometric setup. This key is available in iOS 8.1 and later, + and macOS 10.12.4 and later. - key: DeviceToDeviceMigration title: Skip Device To Device Migration pane supportedOS: @@ -92,13 +99,14 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips Device to Device Migration pane. Availability: iOS 13+.' + content: The key to skip Device to Device Migration pane. This key is available + in iOS 13 and later. - key: Diagnostics title: Disables automatically sending diagnostic information type: presence: optional - content: 'Skips the App Analytics pane. Availability: iOS 7+, tvOS 10.2+, and macOS - 10.9+.' + content: The key to skip the App Analytics pane. This key is available in iOS 7 + and later, tvOS 10.2 and later, and macOS 10.9 and later. - key: DisplayTone title: Disables True Tone supportedOS: @@ -107,11 +115,26 @@ payloadkeys: deprecated: '15.0' macOS: introduced: 10.13.6 + deprecated: '12.0' tvOS: introduced: n/a type: presence: optional - content: 'Skips DisplayTone setup. Availability: iOS 9.3.2+ and macOS 10.13.6+.' + content: The key to skip DisplayTone setup. This key is available in iOS 9.3.2 and + later, and macOS 10.13.6 and later, and deprecated in iOS 15 and macOS 12. +- key: EnableLockdownMode + title: Skips Enable Lockdown Mode + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '14.0' + tvOS: + introduced: n/a + type: + presence: optional + content: If the key is included in the SkipSetup array the Lockdown Mode pane will + be skipped if an Apple ID/iCloud account is set up. - key: FileVault title: Skip configuration of FileVault supportedOS: @@ -123,8 +146,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Disables FileVault Setup Assistant screen in macOS. Availability: macOS - 10.10+.' + content: The key to disable the FileVault Setup Assistant screen in macOS. This + key is available in macOS 10.10 and later. - key: HomeButtonSensitivity title: Skips Home Button sensitivity setup supportedOS: @@ -137,8 +160,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Meet the New Home Button screen on iPhone 7, iPhone 7 Plus, - iPhone 8, iPhone 8 Plus and iPhone SE. Availability: iOS 10+.' + content: The key to skip the Meet the New Home Button screen on iPhone 7, iPhone + 7 Plus, iPhone 8, iPhone 8 Plus, and iPhone SE. This key is available in iOS 10 + and later, and deprecated in iOS 15. - key: iCloudDiagnostics title: Skip iCloud Analytics pane supportedOS: @@ -150,7 +174,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips iCloud Analytics screen. Availability: macOS 10.12.4+.' + content: The key to skip the iCloud Analytics screen. This key is available in macOS + 10.12.4 and later. - key: iCloudStorage title: Skip iCloud Documents and Desktop pane supportedOS: @@ -162,8 +187,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips iCloud Documents and Desktop screen in macOS. Availability: macOS - 10.13.4+.' + content: The key to skip the iCloud Documents and Desktop screen in macOS. This + key is available in macOS 10.13.4 and later. - key: iMessageAndFaceTime title: Skip iMessage and FaceTime set up pane supportedOS: @@ -175,7 +200,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the iMessage and FaceTime screen in iOS. Availability: iOS 12+.' + content: The key to skip the iMessage and FaceTime screen in iOS. This key is available + in iOS 12 and later. - key: Location title: Disables Location Services supportedOS: @@ -183,7 +209,8 @@ payloadkeys: introduced: '10.11' type: presence: optional - content: 'Disables Location Services. Availability: iOS 7+ and macOS 10.11+.' + content: The key to disable Location Services. This key is available in iOS 7 and + later, and macOS 10.11 and later. - key: MessagingActivationUsingPhoneNumber title: Disables iMessage activation using a phone number in select regions supportedOS: @@ -195,7 +222,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the iMessage pane. Availability: iOS 10+.' + content: The key to skip the iMessage pane. This key is available in iOS 10 and + later. - key: OnBoarding title: Skip on-boarding informational panes supportedOS: @@ -208,9 +236,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips on-boarding informational screens for user education (Go Home, Cover - Sheet, Multitasking & Control Center, for example) in iOS. Availability: iOS 11 - - 13.6.' + content: The key to skip the on-boarding informational screens for user education + (Go Home, Cover Sheet, Multitasking & Control Center, for example) in iOS. This + key is available in iOS 11 and later, and deprecated in iOS 14. - key: Passcode title: Skips prompting the user to set a passcode supportedOS: @@ -218,7 +246,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Hides and disables the passcode pane. Availability: iOS 7+.' + content: The key to hide and disable the passcode pane. This key is available in + iOS 7 and later. - key: Payment title: Skips Apple Pay setup supportedOS: @@ -230,7 +259,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips Apple Pay setup. Availability: iOS 8.1+ and macOS 10.12.4+.' + content: The key to skip Apple Pay setup. This key is available in iOS 8.1 and later, + and macOS 10.12.4 and later. - key: Privacy title: Skip Privacy pane supportedOS: @@ -242,8 +272,8 @@ payloadkeys: introduced: '11.3' type: presence: optional - content: 'Skips the privacy pane. Availability: iOS 11.13+, tvOS 11.13+, and macOS - 10.13.4+.' + content: The key to skip the privacy pane. This key is available in iOS 11.13 and + later, tvOS 11.13 and later, and macOS 10.13.4 and later. - key: Restore title: Disables restoring from backup supportedOS: @@ -251,7 +281,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Disables restoring from backup. Availability: iOS 7+ and macOS 10.9+.' + content: The key to disable restoring from backup. This key is available in iOS + 7 and later, and macOS 10.9 and later. - key: RestoreCompleted title: Skips Restore Completed pane supportedOS: @@ -263,7 +294,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Restore Completed pane. Availability: iOS 14+.' + content: The key to skip the Restore Completed pane. This key is available in iOS + 14 and later. - key: ScreenSaver title: Skips screen saver setup supportedOS: @@ -273,8 +305,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the tvOS screen about using aerial screensavers in ATV. Availability: - tvOS 10.2+.' + content: The key to skip the tvOS screen about using aerial screensavers in ATV. + This key is available in tvOS 10.2 and later. - key: Safety title: Skips Safety pane supportedOS: @@ -286,7 +318,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Safety pane. Availability: iOS 16+.' + content: The key to skip the Safety pane. This key is available in iOS 16 and later. - key: ScreenTime title: Skip Screen Time pane supportedOS: @@ -298,7 +330,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Screen Time pane. Availability: iOS 12+ and macOS 10.15+.' + content: The key to skip the Screen Time pane. This key is available in iOS 12 and + later, and macOS 10.15 and later. - key: SIMSetup title: Skip SIM-related setup supportedOS: @@ -310,7 +343,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the add cellular plan pane. Availability: iOS 12+.' + content: The key to skip the add cellular plan pane. This key is available in iOS + 12 and later. - key: Siri title: Disables Siri supportedOS: @@ -318,7 +352,8 @@ payloadkeys: introduced: '10.12' type: presence: optional - content: 'Disables Siri. Availability: iOS 7+, tvOS 10.2+, and macOS 10.12+.' + content: The key to disable Siri. This key is available in iOS 7 and later, tvOS + 10.2 and later, and macOS 10.12 and later. - key: SoftwareUpdate title: Skip automatic software update configuration pane supportedOS: @@ -330,7 +365,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the mandatory software update screen in iOS. Availability: iOS 12+.' + content: The key to skip the mandatory software update screen in iOS. This key is + available in iOS 12 and later. - key: TapToSetup title: Skips simplified tap setup supportedOS: @@ -342,8 +378,8 @@ payloadkeys: always-skippable: false type: presence: optional - content: 'Skips the Tap To Set Up option in AppleTV about using an iOS device to - set up your AppleTV. Availability: tvOS 10.2+.' + content: The key to skip the Tap To Set Up option in AppleTV about using an iOS + device to set up your AppleTV. This key is available in tvOS 10.2 and later. - key: TermsOfAddress title: Skips Terms of Address supportedOS: @@ -357,13 +393,15 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Terms of Address pane. Availability: iOS 16+, and macOS 13+.' + content: The key to skip the Terms of Address pane. This key isn't always skippable + because this pane appears before the device retrieves the Cloud Configuration + from the server. This key is available in iOS 16 and later, and macOS 13 and later. - key: TOS title: Skips Terms and Conditions type: presence: optional - content: 'Skips Terms and Conditions. Availability: iOS 7+, tvOS 10.2+, and macOS - 10.9+.' + content: The key to skip Terms and Conditions. This key is available in iOS 7 and + later, tvOS 10.2 and later, and macOS 10.9 and later. - key: TVHomeScreenSync title: Skip TV Home Screen supportedOS: @@ -375,7 +413,8 @@ payloadkeys: introduced: '11.0' type: presence: optional - content: 'Skips TV home screen layout sync screen. Availability: tvOS 11+.' + content: The key to skip TV home screen layout sync screen. This key is available + in tvOS 11 and later. - key: TVProviderSignIn title: Skip TV provider sign in supportedOS: @@ -387,7 +426,8 @@ payloadkeys: introduced: '11.0' type: presence: optional - content: 'Skips the TV provider sign in screen. Availability: tvOS 11+.' + content: The key to skip the TV provider sign in screen. This key is available in + tvOS 11 and later. - key: TVRoom title: Skip Where is this Apple TV pane supportedOS: @@ -399,8 +439,8 @@ payloadkeys: introduced: '11.4' type: presence: optional - content: 'Skips the “Where is this Apple TV?” screen in tvOS. Availability: tvOS - 11.4+.' + content: The key to skip the “Where is this Apple TV?” screen in tvOS. This key + is available in tvOS 11.4 and later. - key: UpdateCompleted title: Skips Software Update Complete pane supportedOS: @@ -412,7 +452,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Software Update Complete pane. Availability: iOS 14+.' + content: The key to skip the Software Update Complete pane. This field is available + in iOS 14 and later. - key: WatchMigration title: Skip watch migration supportedOS: @@ -424,7 +465,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the screen for watch migration. Availability: iOS 11+.' + content: The key to skip the screen for watch migration. This key is available in + iOS 11 and later. - key: Welcome title: Skip Get Started pane supportedOS: @@ -436,16 +478,19 @@ payloadkeys: introduced: n/a type: presence: optional - content: 'Skips the Get Started pane. Availability: iOS 13+.' + content: The key to skip the Get Started pane. This key is available in iOS 13 and + later. - key: Zoom title: Skips setting zoom configuration supportedOS: iOS: introduced: '8.3' + deprecated: '17.0' macOS: introduced: n/a tvOS: introduced: n/a type: presence: optional - content: 'Skips zoom setup. Availability: iOS 8.3+.' + content: The key to skip zoom setup. This key is available in iOS 8.3 and later, + and deprecated in iOS 17.